ISSN. 1363-6650 



JULY 1998 
Issue 19 



FORENSIC COMPUTING, 



Contents 



Comment 


page 


2 


News 


page 


3 


Product news 


page 


11 


Fake software ring 


page 


14 


Nuclear hackers 


page 


15 


UK DERA porn scandal 


page 


17 


UK Evidence guide 


page 


18 


Forensic Q&A 


page 


22 


Notice board 


page 


23 



Advisory Board 



(Jommcnt 



° John Austen 

Computer Crime Consultants Ltd & Royal 
Holloway College, University of 
London, UK 

e Jim Bates 

Computer Forensics Ltd, UK 

e Alexander Dumbill 

King Charles House Chambers, UK 

° Ian Hayward 

Former lecturer, Department of Information 
Systems, Victoria Unh rsity of Technology, 
Australia 

e Robert S Jones 

Computer Related Crime Research Centre, 
Queen Mary & Westfield College, 
University of London, UK 

• Nigel Layton 

Quest Investigations Pic, UK 

• Stuart Mort 
DRA, UK 

• Michael G Noblett 

Computer Analysis Response Team, FBI, US 

• Howard Schmidt 

Director of Information Security, Microsoft 
Corp. Former Director of US Air Force 
Office of Special Investigations Computer 
Forensics Laboratory 

• Gary Stevens 

Ontrack Data International Inc, 

US 

• Ron J Warmington 
Citibank NA, UK 

• Edward Wilding 
Network International Ltd, UK 

Editorial Team 



• Paul Johnson 
Editor 

• Sheila Cordier 
Managing Editor 

International Journal of 
Forensic Computing 

Third Floor, Colonnade House, 
High Street, Worthing, 
West Sussex, UK 
BN11 1NZ 

Tel: +44 (0) 1903 209226 
Fax: +44 (0) 1903 233545 
e-mail:ijfc@pavilion. co.uk 
http://www.forensic-computing.com 



It is only now that we are truly be- 
ginning to see the full implications of 
the computer, and this is no where more 
true than in the field of crime fighting 
and law enforcement. 

Technology can be used as a tool to 
commit crime at the click of a mouse, 
whether it is multi-million pound fraud 
or Net porn. And by a similar token, com- 
puters can contain the vital evidence to 
secure a conviction - the classic smok- 
ing gun brought up to speed. 

It's taken a while for police forces 
across the world to get to grips with the 
implications. Just a few years ago the 
concept of computer forensics was just 
that - a theoretical concept for most 
people. Now it is a burgeoning industry 
and computer crime cases are being 
prosecuted in courts across the globe. 

But we've still got a long way to go. 
While computer crime is being tackled, 
it is being done in a haphazard and un- 
predictable way. Just about every law 
enforcement group has a different way 
of approaching the subject and the re- 
sult is that many cases are either lost or 
hugely compromised. 

In the UK, police forces are gradu- 
ally finding common ground and learn- 
ing from each other, but there are still 
many forces in the country which are 
going their own way, possibly with dis- 
astrous consequences. The same story 
is true for the rest of Europe, which still 
has a lot of catching up to do, and the 
US, where the problem of computer 
crime has been recognised for many 
years but a comprehensive strategy to 
tackle it has not been put in place. 

That's why the article on page 19 of 
this month's Journal is so important. It 
is about the guidelines produced by the 
UK Association of Chief Police Offic- 



ers to create a framework for the appli- 
cation of computer forensic skills. 

This builds on the conclusions of the 
G8 international meeting of ministers 
last year and sets up the parameters for 
just about all the work done within fo- 
rensic computing, from evidence re- 
trieval to investigation and prosecution 
of computer crime. 

It is not a "how to do it" guide to 
computer forensics, nor does it try to 
be. Instead it is an attempt to create a 
common set of rules that will hopefully 
mean an end to embarrassing and costly 
prosecution failures. Of course, like 
every science, those involved in foren- 
sic computing will learn from their mis- 
takes and put them to constructive use - 
without setbacks there is no evolution. 

But the ACPO document will pro- 
vide a level playingfield for everyone in 
the industry, a common set of standards 
that will hopefully be the cornerstone 
of tackling computer crime. 

Police, law enforcement and govern- 
ment agencies across the world should 
look closely at the ACPO guidelines to 
see how it could be incorporated into 
their own local or national strategy. And 
the British police would welcome inter- 
national input in a bid to come up with 
the best working practises possible. 

Computers are not limited to geo- 
graphical or political boundaries and it's 
important that crime investigation isn't 
either. The field of forensic computing 
will grow at a faster and faster rate, po- 
tentially into a ragbag mix of conflict- 
ing ideas, methods and laws. 

But with development of documents 
like the ACPO guidelines, politicians 
and law enforcement groups across the 
world have a real chance of pooling their 
resources to become truly effective. 



All rights reserved. Without prior permission of the Publisher, no part of this publication may be reproduced, stored in 
a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or 
otherwise. 

Articles are published on the understanding that publication is not taken to imply endorsement of the views therein by the 
Publisher or Editorial Team or members of the Advisory Board of the Journal. Courses of action described in the Journal 
in relation to one set of circumstances will not necessarily be appropriate for a different set of circumstances. 

Accordingly, readers should take their own independent specialist advice before proceeding on any project or course of 
action and any failure to do so is at their own risk. No responsibility is assumed by the Publisher or Editorial Team or 
members of the Advisory Board for any loss or damage to persons or property as a matter of contract, negligence (save 
in respect of liability for death or personal injury arising out of any negligence) or otherwise, or from any use or operation 
of any methods, products, instructions or ideas contained in the material herein. Whilst all reasonable care is taken, neither 
the Publisher, nor the Editorial Team, nor members of the Advisory Board can be held legally responsible for any errors 
in articles or listings. Upon submission of an article, the author will be requested to transfer copyright of the article to the 
Publisher. 



July 1998 



International Journal of Forensic Computing 



News 



Bid to cut spam 

The British government has an- 
nounced that it is planning a series of 
tough new laws to clamp down on e-mail 
and fax spammers. 

While e-mail spamming is well 
known in the online world, a number of 
UK firms, notably the British Fax Di- 
rectory, have progressively built up-to- 
date indexes of virtually all PSTN (pub- 
lic switched telephone service) acces- 
sible fax machines in the UK. 

These are said to have been built up 
by the laborious procedure of calling all 
phone numbers in specific sequences in 
the UK and letting the line ring out for a 
few ring cycles. If a fax machine or mo- 
dem tone answers, the number is logged. 

Such calling patterns are, according 
to Oftel, the government regulator, ille- 
gal under current telecoms legislation, 
but the databases used by these junk fax 
firms now appears to be complete. 

The junk fax firms buy telephone 
time by the millions of minutes at deep 
discount rates, with no call minimum, 
and send out faxes urging recipients to 
call up its fax servers to receive faxes 
on topics ranging from repossessed 
houses going cheap to details of outlets 
for cut price designer clothing. 

The numbers for these services are 
premium rate, meaning that callers pay 
up to a £1.50 ($2.50) a minute, and then 
often receive a fax at just 2,400 bits per 
second - a quarter of the normal fax 
speed. Pages often take a minute or 
more to download. 

It is this problem that the legislation 
aims to resolve. Earlier this year, ECTIS, 
an Oftel telecommunications watchdog 
subsidiary, noted in a report that un- 
wanted faxes had overtaken chatlines to 
become the most common cause for 
complaints to its helplines. 

Now the Department of Trade and In- 
dustry has started a consultation period 
aimed at drawing up means of control- 
ling "cowboys" in the direct marketing 
industry. The move is being made in ad- 
vance of a European Commission data 
directive, which comes into force this 
coming October. 

Although precise details of the DTI 
initiative are still up in the air, sources 
close to the DTI suggest that new legis- 



lation will make it a criminal offence, 
punishable by a fine or even imprison- 
ment, to send unwanted faxes, e-mails 
and phone calls offering goods and serv- 
ices, to businesses and consumers. 

Man admits porn 

A man admitted possessing porno- 
graphic computer pictures of children 
in the US after prosecutors agreed to 
drop distribution charges. According to 
US Attorney Faith S. Hochberg, Eugene 
Byrnes, from New Jersey, pleaded 
guilty to one count of possession of 
child pornography. 

The defendant waived the right to have 
his case presented to a grand jury and 
pleaded guilty to charges presented by 
the government, Hochberg said. 

In court, Byrnes admitted that in Sep- 
tember of 1996 he possessed more than 
20 child pornographic computer images 
on the hard drive of his computer and 
on at least two computer disks. 

Byrnes allegedly used America 
Online on September 4, 1996, to trans- 
port eight child pornographic pictures, 
and allegedly used AOL to receive a to- 
tal of 1 6 child pornographic photographs 
between September 4 and 17, 1996, ac- 
cording to an earlier indictment. 

The earlier indictment also showed 
that by December 11, 1996, Byrnes pos- 
sessed more than 180 child porno- 
graphic photographs. 

Authorities say Byrnes had pos- 
sessed at least 180 graphic image files 
containing visual depictions of minors 
engaging in sexually explicit conduct. 

Under the terms of the plea agree- 
ment, Hochberg said the government 
agreed to dismiss the September 12, 
1997, six-count indictment returned 
against Byrnes, charging him with re- 
ceipt and transportation of the child por- 
nography, in addition to the possession. 

Byrnes, a self-employed risk man- 
agement consultant, faces a maximum 
of five years in federal prison and a 
$250,000 fine when he is sentenced on 
August 3 1 by US District Judge John C. 
Lifland. Byrnes currently remains free 
on an unsecured bond until sentencing. 

• Another man from New Jersey 
in the US has been arrested for alleg- 
edly possessing three computer disks 



containing child pornography. 

US Attorney Faith S. Hochberg said 
that Alfred Ciolino, 43, was arrested by 
US Customs Service Special Agents and 
New Jersey Police Department officers 
on a three-count indictment. 

According to the indictment, Ciolino 
was charged with the possession ofthree 
computer disks, one containing five im- 
ages, another with three images and a 
third with eight images of child pornog- 
raphy. If convicted, Ciolino faces a 
maximum of five years in prison and a 
$250,000 fine on each count. 

FTC blasts industry's 
online privacy efforts 

The US Federal Trade Commission 
has attacked the online industry's efforts 
to protect consumer privacy through 
self-regulation. 

The Commission's online privacy 
report, delivered to Congress, found that 
consumers have little privacy protection 
on the Internet, with only 14 per cent of 
commercial Web sites disclosing their 
information collection practices. 

The Commission's survey of over 
1,400 Web sites also found that only 
about two per cent of the sites currently 
provide a comprehensive privacy policy. 

And when it came to children's Web 
sites, 89 per cent of the 212 children's 
sites surveyed collect personally iden- 
tifiable information directly from chil- 
dren, and only 54 per cent of the chil- 
dren's sites disclose their information 
collection practices. 

The Commission said, is that fewer 
than 10 per cent of the sites directed to 
children provide for some form of pa- 
rental control over the collection of in- 
formation from their youngsters. 

The Web site survey "tells us that 
industry efforts to encourage voluntary 
adoption of these principles have not 
met with great success," FTC Chairman 
Robert Pitofsky said. 

Pitofsky said that "more incentives 
are necessary to encourage self-regula- 
tion and to ensure consumers that their 
personal information will be protected 
online." 

In examining current online industry 
self-regulatory policies, the Commis- 



International Journal of Forensic Computing 



July 1998 

3 



sion concluded that these guidelines 
generally encourage "members to pro- 
vide notice of their information prac- 
tices and some choice. ..but fail to pro- 
vide for access and security or for en- 
forcement mechanisms." 

The study examined Web sites in six 
categories, including commercial sites; 
children's sites; health, retail and finan- 
cial sites; retail; financial; and "most 
popular" sites. 

Of the commercial sites, the FTC 
found that, while 92 per cent collect per- 
sonal information, 8 per cent of the 
children's sites took iformation and 
some 88 per cent of trie 404 health, re- 
tail and financial sites surveyed collected 
personal information. 

Financial Web sites rank the worst 
in disclosure statements, the FTC study 
found, with 97 per cent collecting per- 
sonal and only 16 per cent disclosing 
information practices. 

Although the online industry has ini- 
tiated a new set of self-regulatory guide- 
lines regarding online privacy, the Com- 
mission's report recommends legisla- 
tion, particularly in the area of children's 
online privacy "that would place parents 
in control of the online collection and 
use of personal identifying information 
from their children," Pitofsky said. 

"To date we are not satisfied with the 
implementation of fair information 
practices by the online industry," he 
said. 

• If the private sector won't en- 
sure consumers their privacy is pro- 
tected online, then the federal govern- 
ment will step in and try, Commerce 
Secretary William M. Daley warned. 

Daley, opening a two-day online pri- 
vacy summit in the US, challenged the 
private sector to "implement enforce- 
able privacy protections to ensure that 
consumers can feel confident that their 
personal information is safe online. 

"Articulating principles isn't ad- 
equate," he said, warning that "there has 
to be some meaningful consequences to 
companies that don't comply." 

He added: "I sincerely hope industry 
steps up to the plate first," Daley said. 
"But if it doesn't, we will have to con- 
sider all the options we have for protect- 
ing the American consumer." 



The Clinton administration is closely 
examining a private sector proposal to 
protect privacy in business transactions 
on the Internet, Daley said, but noted that 
"industry must move swiftly to draft an 
effective plan to enforce privacy or face 
inevitable government regulation of 
electronic commerce." 

Daley told the summit his first im- 
pressions of a proposal by the Online 
Privacy Alliance, a group of 50 compa- 
nies and business associations to self- 
regulate online privacy was positive, but 
expressed disappointment over the 
group's request for additional time un- 
til September 15 to come up with a pro- 
posal to enforce privacy on the Internet. 

"There has to be a way to enforce this 
that the consumer can trust, or this won't 
work." Daley said public concern over 
Internet privacy is so high that govern- 
ment will "have no choice" but to inter- 
vene unless industry "puts its teeth" in 
its self-regulatory plan. 

Online industry bets 
on gambling 

Internet companies and organisations 
fear a US bill designed to curb online 
gambling will make criminals out of 
them overnight. 

The bill, S 474, is otherwise known 
as the Online Gambling Prohibition Act. 
The legislation, introduced by Sen. John 
Kyi (R-Arizona), seeks to ban Internet 
gambling, and would let federal, state and 
local officials halt telephone and Net 
service to computer gambling concerns. 

The Online Gambling Prohibition 
Act also provides for criminal penalties 
for violations, including fines up to 
$2,500 and a maximum of six months 
in jail, and would allow the president to 
seek agreements with foreign govern- 
ments to allow US law enforcement of- 
ficials to prosecute operators of off- 
shore gambling concerns that enter the 
US through the Internet. 

The online industry, however, is lob- 
bying that the bill would make every In- 
ternet service provider, every online 
service and every telephone company 
criminally liable for "knowingly" trans- 
mitting gambling information. 

The bill would also subject ISPs and 



online services to court actions that 
would require them to engage in the vir- 
tually impossible task of trying to moni- 
tor, identify and block access to Web 
sites overseas, members of the Interna- 
tional Internet Gaming Association said. 

But Kyi said: "The law must keep 
pace with technology," he said. "Gam- 
bling is either heavily regulated or ex- 
pressly prohibited in the states. In the 
Internet, it is neither." 

Kyi, chairman of the technology, ter- 
rorism and government information sub- 
committee of the Senate Judiciary Com- 
mittee, added that "given the tremendous 
potential for abuse, addiction and access 
by minors, online gambling should be 
prohibited." 

Kyi's bill would amend sections 
1081 and 1084 of title 18 of the US 
Code to outlaw gambling on the Inter- 
net. The bill also would require the US 
Attorney General to report on the ex- 
tent of computer gambling and the prob- 
lems associated with enforcing laws 
against it. 

"My bill will protect children from 
logging on to the family computer, bor- 
rowing the family credit card, and los- 
ing the family home, all before their par- 
ents get home from work," Kyi said. 

The Internet Gambling Prohibition 
Act "dispels any ambiguity by making it 
clear that all online betting, including 
sports betting, is illegal," Kyi said. He 
noted that non-sports online betting cur- 
rently is being interpreted as legal. 

The bill also would make gambling 
on the Internet or other interstate com- 
puter networks a criminal offence, and 
would provide a mechanism for law en- 
forcement to stop illegal gambling. And 
it also makes it clear that Internet ac- 
cess providers are covered by the pend- 
ing legislation. 

But in a letter to the Senate Judici- 
ary Committee's ranking Democrat, Sen. 
Patrick Leahy (Vt.), Acting Assistant 
Attorney General I. Anthony Sutin said 
the legislation would not only be unen- 
forceable, it would adversely affect the 
way people look at and conduct business 
on the Internet. 

In his letter, Sutin expressed serious 
reservations about the bill's attempt to 
criminalize office pools, fantasy sports 
games, and "casual" bets conducted us- 



July 1998 



International Journal of Forensic Computing 



ing e-mail or the Internet. 

Because the National Gambling Im- 
pact Study Commission is reviewing the 
issue of Internet gambling, Sutin sug- 
gested that Congress wait for the NGISC 
report before further work on the bill. 

Hong Kong looks at 
gambling firm 

An online sports betting service tar- 
geting Chinese gamblers has come un- 
der scrutiny of Hong Kong Police. 

The Easybets service, based in the 
Dominican Republic, went online last 
September and has just launched its Chi- 
nese language interface. 

Following a series of high-profile 
raids on illegal gambling operations in 
the territory, the Hong Kong Police have 
stated they are "looking into" the 
Easybets service. 

Principal information officer, Li 
Sung-ming said although Hong Kong 
legislation did not address Internet gam- 
bling, any bet that was not specifically 
sanctioned by law was illegal. "We are 
targeting the act itself rather than the 
means," he said. 

"The Internet isjust like a telephone. 
You place a bet by electronic means. It 
is no different than if you use a tel- 
ephone to call a bookmaker to place a 
bet." 

Easybets spokesman Robby Ho said 
that the online gambling trade was not 
prohibited in Hong Kong, "We're not an 
illegal company. If we were an illegal 
company, we wouldn't be here. At this 
moment, we don't have any area that's 
against the law, because we're a licensed 
company, we hold a license that says we 
can accept bets. Our bookie is licensed 
to accept bets anywhere in the world." 

However, according to the Hong 
Kong Police, the issue is almost cer- 
tainly illegal although a case precedent 
is yet to be established. "In Hong Kong 
some kinds of betting are legal, just like 
betting on the horse races," Li said. 

"Apart from these legal gambling 
activities, all gambling is illegal in Hong 
Kong. So betting on the Internet is ille- 
gal in Hong Kong." 

Because of uncertainty over its le- 
gal status, Easybets has no plans to mar- 



ket the service in China, but will con- 
centrate instead on Hong Kong, Singa- 
pore and Taiwan. 

Easybets was set up as an online 
companion to a small chain of Dublin- 
based bookmakers called PM Racing. 
The company, which was founded in 
1972, is now owned by Hong Kong in- 
terests. 

It claims to have around 2,000 ac- 
tive customers, around 30 per cent of 
who are based in the Asia-Pacific region. 

The average wager is around US$200 
to $500, with minimum bets of $10; a 
big contrast to the US 30 cents that 
some Irish punters would bet in PM Rac- 
ing. Ho said that on a good day the site 
takes around $410,000 in soccer bets, 
with $245,000 on basketball, though this 
includes telebets. 

High-tech leaders ask 
for looser encryption 

The Clinton Administration's current 
encryption policy is killing the US soft- 
ware industry in the international mar- 
kets, and proposals to introduce key es- 
crow policies would cost billions, high- 
tech executives said today. 

The White House's encryption policy 
"is turning out to be a real crisis," Novell 
Inc. chairman Eric Schmidt said at a 
Business Software Alliance conference. 
"It's killing the American industry." 

The US government today restricts 
companies from exporting encryption 
technology above a 40-bit key length 
without meeting some special condi- 
tions. 

Over the next two-year period, US 
companies will be allowed to export up 
to a 56-bit key length if certain condi- 
tions are met related to investments and 
plans to incorporate key recovery tech- 
nology into future products. 

At the end of the two-year period, US 
export controls are scheduled to revert 
back to a maximum 40-bit key length - 
without going through a formal approval 
process for individual licenses, as is the 
situation today. 

Citing two studies released today on 
electronic commerce and encryption, 
the high tech execs, including Schmidt, 
Adobe Systems Inc. chairman and chief 



executive officer John Warnock and 
Microsoft Chairman and CEO Bill Gates 
said that business-to-business Internet 
commerce for the year 2000 is esti- 
mated in the $66 billion to $171 billion 
range. 

By 2002, electronic commerce is 
expected to reach $300 billion, the elec- 
tronic commerce study said. 

The second study on the cost of key 
escrow encryption showed that the to- 
tal direct cost of the "back-door" sys- 
tem of gaining access to consumers' 
encrypted computer files envisioned by 
the White House will cost at least $7.7 
billion per year and $38.5 billion over 
five years. 

"As we've said in the past, encryption 
policy must be guided by the digital 
Hippocratic Oath — first, do no harm," 
Schmidt said. "The high cost of the key 
escrow system documented in this study 
does not pass this test." 

And US software companies have a 
lot to lose, according to the first report, 
"E-Commerce: Policy Principles De- 
veloped by Members of the BSA on 
Critical Issues Facing the Future of 
Electronic Commerce." 

According to the e-commerce re- 
port, traffic on the Internet doubles 
every 100 days, with some 8.2 per cent 
of the US economy already devoted to 
Internet technology. 

The study also found that advertis- 
ing spending on the Internet reached $1 
billion in 1997, triple the amount spent 
in 1996, and that by the year 2000, at 
least 46 million Americans will pur- 
chase products or services online, 
spending an average of $350 per person 
per year. 

According to the study, "The Cost of 
Government-Driven Key Escrow 
Encryption," conducted by Nathan As- 
sociates, the cost for users to comply 
with such a key escrow system is at least 
$1.7 billion per year, while payments 
that users would have to make to escrow 
agents to comply with this system is $6 
billion per year. 

The high tech execs met with Attor- 
ney General Janet Reno and FBI Direc- 
tor Louis Freeh to discuss the impact 
of key escrow on the industry and the 
US economy. Both Reno and Freeh want 
the back door keys to encryption pro- 



International Journal of Forensic Computing 



July 1998 



grams to assist law enforcement. 

But "encryption with a back door is 
widely available," Microsoft's Gates 
said. "That's a change in the world of 
spying and law enforcement that we can- 
not affect. "Having all of us deliver 
breakable encryption isn't going to 
change that." 

The bill, "Encryption Promotes the 
Rights oflndividuals in the Virtual Arena 
Using Computers (E-PRIVACY) Act," 
would allow US companies to export 
products with strong encryption without 
key-recovery requirements, provided 
that a competing fore gn product is al- 
ready or imminently available. 

The bill also provides for a National 
Electronic Technologies Centre, which 
would assist law enforcement at all lev- 
els with expertise in encryption technol- 
ogy. The bill subjects all encryption 
products to a technical review of their 
capabilities prior to export. 

While the bill prohibits the manda- 
tory escrow of decryption keys, it allows 
law enforcement access to decryption 
keys under existing wiretap authority 
and allows them to obtain keys or third- 
party assistance for remotely stored data 
with a court order or subpoena. 

US computers still 
being attacked 

More than a half dozen serious at- 
tacks on the US government's compu- 
ter networks have occurred in the past 
five months, according to the head of 
the FBI's National Information Protec- 
tion Centre. 

And NIPC head Michael Vatis warned 
that that more attacks are on the way. 
Testifying before the US Senate Judici- 
ary Committee's subcommittee on tech- 
nology, terrorism and government in- 
formation, Vatis said that "somewhere 
in the vicinity of a half dozen of what I 
would consider substantial" attacks were 
launched against US government com- 
puter networks since February." 

Vatis declined to give specifics on 
the attacks, telling the hearing that in- 
vestigations into the attacks were under 
way. But Vatis did acknowledged that De- 
fence Department computer systems 
were always a prime target. 



Attempted intrusions into Defence 
Department computers make up "a good 
percentage of the incidents we see," 
Vatis said, because the Defence Depart- 
ment "is such a prime target for even 
individual hackers who want to test their 
skills." 

"They see the Department of De- 
fence as the big banana," he said, "the 
ultimate challenge to test their skills." 

Vatis' testimony before the Senate 
subcommittee came less than a week af- 
ter Stanford University reported that its 
Stanford Linear Accelerator Centre re- 
search laboratory was attacked. 

The lab, which runs under a Depart- 
ment of Energy contract, had to stop 
outside access to prevent further intru- 
sions, according to a newspaper report. 

The paper reported that more than 30 
of the centre's file servers were 
accessed illegally, and could have been 
used as jumping off points to other gov- 
ernment and research centre networks. 

The MilWOrm and other groups also 
continued their forays into India's com- 
puter networks. (See page 15). One 
group, which calls itself Armageddon, 
claims to have gained access to an In- 
dian biomedical research facility. 

The group says it has accessed and 
retrieved test results and internal 
memos on the effects India's recent nu- 
clear tests have had on India's environ- 
ment and civilian population. 

The group claims to have broken into 
the facility's servers on June 5, a claim 
that is just now going public, AntiOnline 
founder John Vranesevich said. 

"The hackers apparently used 
critl .univ-montp2.fr as a bounce point 
to hack the Indian server bioinfo.ernet.in 
among others," Vranesevich said. 

Although the facility denied the 
group's claims of accessing the facili- 
ty's servers, an e-mail message retrieved 
by Armageddon from a Prof. A.S. 
Kolaskar, director of the Bio informatics 
Centre, saying that "our Web page was 
tampered by using your machinie (sic) 
critl .univ-montp2.fr," appears to sup- 
port Armageddon's claims. 

"They have logged in as 'root' into 
our machine and changed the files," the 
e-mail said. "The hackers have played 
with our log files. We lost information 
from 3rd June to 6th June." 



"It amazes me that this organisation 
would flat out deny being hacked," 
Vranesevich said. The letter, he said, was 
"sent from the Director of the 
Bioinformatics Centre to the adminis- 
trator of one of the computers that the 
hackers used as a jump point. I think this 
clearly shows that yes, they were indeed 
hacked." 

Washington anti spam 
law kicks in 

Washington State's new anti-spam 
law is now up and running, although it is 
still at the centre of controversy. 

The law forbids the transmission of 
certain types of junk e-mail from com- 
puters in Washington or to e-mail ac- 
counts held by Washington State resi- 
dents. Many characterise the law as a 
"truth in spamming" law, because e-mail 
that does not contain forged header in- 
formation or misleading subject lines, 
or has not used a mail server without 
permission, are not forbidden. 

Each message that violates the law 
entitles minimum damages of $500 to 
individuals and $1,000 to Internet serv- 
ice providers. The law also allows the 
Attorney General's Office to take legal 
action. 

Generating more controversy and 
confusion from the law is not the "truth 
in spamming" aspect, but the issue of 
how spammers know an e-mail address 
is held by a Washington State resident. 

The law states, "For purposes of this 
section, a person, corporation, partner- 
ship, or association knows that the in- 
tended recipient of a commercial elec- 
tronic mail message is a Washington 
resident if that information is available, 
upon request, from the registrant of the 
Internet domain name contained in the 
recipient's electronic mail address." 

Some Internet service providers, 
such as America Online and IBM.NET, 
have stated they will not respond to such 
requests, potentially leaving many 
Washington State residents without the 
protection of the law. 

Attorney David H. Kramer, of Sili- 
con Valley's largest law firm, Wilson 
Sonsini Goodrich & Rosati said: "The 
portion of the statute dealing with infor- 



July 1998 



International Journal of Forensic Computing 



mation being available from the domain 
name registrant is not exclusive. It 
merely provides one sure fire way of es- 
tablishing the spammers knowledge." 

Nevertheless, anticipating a problem 
over this section of the law, the Attor- 
ney General of Washington State en- 
tered into an agreement with the Wash- 
ington Association of Internet Service 
Providers for the WAISP to create an e- 
mail registry for Washington State resi- 
dents. 

The registry allows Washington resi- 
dents to add their e-mail addresses to 
the registry. Would-be spammers can 
check one address at a time to deter- 
mine if an address is held by a Washing- 
ton State resident. 

The registry, for use by any Wash- 
ington State resident with an e-mail ad- 
dress, is at http://registry.waisp.org. The 
e-mail addresses can only be released 
to the Attorney General or any other 
party by court order. 

The Attorney General's Office has 
set up a Web site specifically about the 
new law, including information on ways 
to submit complaints electronically. 

The site is at http://www.wa.gov/ 
wwweb/AGO/junkemail. The Washing- 
ton anti-spam law can be found on the 
Web at http://leginfo.leg.wa.gov/pub/ 
bi 11 info/house/275 0-2774/275 2- 
s_sl_032798 

Blue Ribbon for 
online freedom 

The Electronic Frontier Foundation 
in the US has announced that it is re- 
launching its Blue Ribbon Campaign for 
Online Freedom of Expression. It says 
the move is in opposition to new Con- 
gressional attempts to impose censor- 
ship controls on the Internet. 

The original campaign in 1995 raised 
awareness of and opposition to the 
Communications Decency Act (CDA), 
which was eventually ruled unconstitu- 
tional by a unanimous Supreme Court 
decision. 

"When the U.S. Supreme Court 
struck down the CDA exactly one year 
ago this month and declared that speech 
on the Internet is entitled to the highest 
Constitutional protection, we had hoped 



that Congress would have given up on 
its foolish crusade to restrict protected 
speech on the Internet," said EFF Presi- 
dent Barry Steinhardt. 

"Sadly, we were mistaken and the 
struggle isn't over yet. The Blue Ribbon 
campaign is just as urgent today as it was 
a year ago." 

For more information visit the Web 
site at http : //www. eff. org/b lueribbon. 

US law tackles Net 
paedophiles 

The US Congress is taking a tough 
route to ensure the safety of children 
from sexual predators. 

By a unanimous vote, the House 
passed H.R. 3494, the Child Protection 
and Sexual Predator Punishment Act of 
1998. The bill, which has the support of 
the Clinton Administration, now moves 
to the Senate. 

The bill would amend the federal 
criminal code to subject to a fine and 
five years' imprisonment anyone who 
knowingly contacts, or attempts to con- 
tact, an individual under the age of 18 
for purposes of engaging in criminal 
sexual activity, or who knowingly trans- 
fers obscene matter to such an indi- 
vidual. 

The bill also sets a three-year mini- 
mum term of imprisonment for entic- 
ing or coercing within US jurisdiction, 
or for using a computer or any facility 
of interstate or foreign commerce to 
entice or coerce, any individual under 
age 18 to engage in prostitution or a 
criminal sexual act, and doubles penal- 
ties for abusive sexual contact where the 
victim is under the age of 12. 

"The technology of computers and 
the Internet have got ahead of the law," 
co-sponsor Rep. Tony Hall (D-Ohio) 
said. "This bill is an attempt to catch up." 

The legislation, which is expected to 
pass the Senate by the same margin, 
would require mandatory life prison sen- 
tences for serial rapists, and a minimum 
of a life sentence for a person convicted 
of a sexual offence that causes the death 
of a person under age 14. 

• New York State Attorney Gen- 
eral Dennis Vacco's "Operation Rip 



Cord" nabbed another three men, this 
time from Long Island, for distributing 
child pornography on the Internet. 

The three men, Joseph Greco, 44, of 
Great Neck, Irving Winick, 51, of Roslyn 
Heights and Curtis Elder, 38, of 
Westbury were charged with transmit- 
ting pictures of young girls engaged in 
sexual acts. 

"These arrests should be taken as a 
loud and clear signal that I have zero tol- 
erance for the dissemination of vile 
child pornography and that I will seek 
jail time for those snared by Operation 
Rip Cord," Vacco said. 

"Children are being raped and mo- 
lested in order to produce this smut, 
which is then zapped into our homes with 
the click of a mouse," he said. 

Irish phone card fraud 
arrests 

Police in Ireland arrested eight peo- 
ple after investigating the country's big- 
gest ever telecommunications fraud. 

The phone fraud against Telecom 
Eireann resulted in the arrest of six men 
and two women while 14 premises were 
raided in the Dublin area. 

The raids were the biggest of their 
type in Ireland and involved 38 officers 
from the Garda (police) Bureau of Fraud 
Investigation. 

The fraud is alleged to have centred 
around the use of cloned Telecom 
Eireann phone cards, which were used 
from payphones to call premium rate 
phone lines, which cost 150 Irish pence 
($2.20) a minute to call. 

After deductions, the premium rate 
phone line operator gets slightly more 
than 60 per cent of the proceeds from 
the call. The fraudsters using the cloned 
phone cards may have been in league 
with the operators of the premium rate 
lines, meaning they were effectively be- 
ing paid for revenue that Telecom 
Eireann was not collecting. 

According to Telecom Eireann, its 
monitoring system picked up on the po- 
tential for a fraud when lengthy duration 
calls were spotted going to the three pre- 
mium rate lines in question. 

Unfortunately for the former state 
telecommunications firm, around 



International Journal of Forensic Computing 



July 1998 



7 



100,000 punts ($150,000) was paid into 
the bank accounts of the premium rate 
line operators before the cloned cards 
were traced. 

The premium rate lines apparently 
offered computer problem assistance to 
callers and requested that a PIN was en- 
tered. Because the lines were not adver- 
tised anywhere, and the fact that callers 
actually ended up listening to a silent 
line - only talking down the line from 
the payphone when someone else 
wanted to use the phone - it is thought 
that the bulk of the call revenue origi- 
nated from the clonec cards. 

Cyber warfare threat 

Potential enemies of the US are 
working on ways to disrupt the nation's 
cyber networks, CIA Director George 
Tenet warned Congress. 

"These countries recognise that 
cyber attacks against civilian computer 
systems in the United States represent 
the kind of asymmetric option they will 
need to * level the playing field' during 
an armed crisis against the United 
States," Tenet told a US Senate Govern- 
mental Affairs Committee hearing here. 

"We know with specificity of several 
nations that are working on developing 
an information warfare capability," he 
said. Although Tenet declined to name 
any countries, Committee Chairman 
Fred Thompson (R-Tenn.) cited China, 
Russia, Libya, Iran and Iraq by name, and 
alluded to at least seven other countries 
developing information warfare strate- 
gies. 

"We cannot wait for an electronic 
Pearl Harbour or Oklahoma City to rec- 
ognise there is a problem," Thompson 
said. "At risk are the systems that con- 
trol the nation's national security, air 
traffic, finances, power and communi- 
cations." 

Thompson added that "while most 
Americans know about the benefits of 
computers, they may not be aware of the 
darker side of the information age that 
could leave us vulnerable to attack." 

US Air Force Lt. Gen. and National 
Security Agency (NSA) head Kenneth 
Minihan agreed with Thompson's warn- 
ing of an "electronic Pearl Harbour," 
telling the hearing that attacks on US 



computer networks were happening 
"every day." 

"We are only seeing the tip of the 
iceberg," Minihan told the hearing. 
"Even when attacks are detected and re- 
ported, we rarely know who the attacker 
was." 

According to Tenet, attacks on US 
computer networks would include "our 
electric power grids and our telecom- 
munications networks" as "targets of the 
first order." 

"An adversary capable of implanting 
the right virus or accessing the right ter- 
minal can cause massive damage," Tenet 
said. 

Such adversaries could include for- 
eign intelligence and military organisa- 
tions, terrorists and guerrilla groups, 
criminals, industrial competitors, hack- 
ers and disgruntled employees, he said. 

"Both government and private indus- 
try sources cite the Internet, inside of- 
fenders, and certain foreign countries as 
the biggest threats to the national secu- 
rity of the United States," Tom Talleur, 
director of NASA's Computer Crimes 
Division said. 

"Today's hackers are not juveniles 
playing games," Talleur said. "The seri- 
ous threats are coming from militias and 
other fringe groups who seriously want 
to disrupt and destroy the government, 
as well as from international terrorists 
and groups trying to spy by computer." 

"Computer security problems will 
get a lot worse before they get better," 
Talleur said, noting the growing sophis- 
tication, age and motives behind hack- 
ing, accurately known as "cracking." 

"Many computer hacking cases now 
involve individuals in their mid-20s to 
mid-30s," Talleur said, "and they're in- 
volved with a number of fringe groups 
who either perceive the government as 
the enemy, or are trying to obtain infor- 
mation to destabilise government secu- 
rity." 

Virus causes red faces 

A new virus has been identified 
which can send copies of the victim's 
Word documents to dozens of different 
Usenet newsgroups. 

Antivirus and security software firm 
Data Fellows has warned that the macro 



virus tricks Net users into reading it by 
using subject lines like "New Virus 
Alert!," "Important Princess Diana Info" 
and "How to find child pornography." 

The bug is formally designated the 
WM/PolyPoster virus, for Word Macro/ 
Polyposter. When it posts, the messages 
look like they came from a machine's 
real user and include the user's real 
name and signature, says Data Fellows. 

To work, the virus, activated by open- 
ing a MS Word DOC file, must find a 
copy of the popular Forte Agent 
newsgroup reader program and there 
must be an active Internet connection. 

Data Fellow's manager of antivirus 
research Mikko Hermanni Hypponen 
said that Word versions 6.0 through 
Word 97 are vulnerable to the bug and 
that there was no real way for users to 
tell if their copy of Word is infected. 

Hypponen said that antivirus program 
F-Prot, developed by Forte and Data 
Fellows, would tackle the problem and 
the program is available on the Web at 
http://www.DataFellows.com 

Hypponen said the virus was only 
discovered recently and that he does not 
know whether it is widespread yet. The 
virus infects all documents it posts so 
users who view them in Word also get 
infected. This allows the virus to spread. 

Some Newsgroups where it posts at- 
tract thousands of users while others are 
more specialised. The bug's internal list 
includes several groups with erotic ma- 
terial, others aimed at both traditional 
hackers and crackers. 

The documents go out as message 
attachments because Word uses binary 
formatting codes. In the body of the 
message, the virus sends "JZ/Ntrag ol 
Ybeq Angnf," identified by Data Fellows 
as a ROT- 1 3 system encryption of the 
plain text, "WM/Agent by Lord Natas." 

Hypponen says traditional security 
methods like firewalls and Windows NT 
security settings do not evade this kind 
of virus, which Data Fellows considers 
to be a completely new type. 

"Viruses like WM/PolyPoster will 
arrive to users through normal e-mail 
document attachments, and will further 
spread from the company's network with 
e-mail or standard Usenet newsgroup 
postings. Most firewalls won't prevent 
this from happening." 



July 1998 



International Journal of Forensic Computing 



postings. Most firewalls won't prevent 
this from happening." 

He added: "This is something we've 
been expecting for quite some time. Vi- 
ruses which activate by simply deleting 
data are easy to recover from by using 
back-ups. However, there is no way to 
recover from an incident where a virus 
posts confidential documents publicly 
to the Internet." 

More information on Data Fellows 
is on the Web at http:// 
www.DataFellows.com, which informa- 
tion specific to the WM/PolyPoster vi- 
rus is in the site at http:// 
www.DataFellows.com/v-descs/ 
agent.htm 

Spam undermines 
e-commerce 

The problems of junk e-mail and 
online fraud could undermine consumer 
confidence and slow the growth of In- 
ternet commerce, according to the Fed- 
eral Trade Commission. 

FTC Commissioner Sheila F. 
Anthony, testifying before the US Sen- 
ate Commerce, Science and Transpor- 
tation Committee's communications 
subcommittee, spoke of the dangers. 

She said that, while the Commission 
"steadfastly called for self-regulation as 
the most desirable approach to Internet 
governance. ..for problems involving de- 
ception and fraud, however, the Com- 
mission is committed to law enforce- 
ment as a necessary response." 

Subcommittee chairman Sen. 
Conrad Burns (R-Mont.) called spam "a 
threat to computer networks across the 
nation". "Spamming is truly the scourge 
of the Information Age," he said. 

While not all unsolicited commer- 
cial e-mail is fraudulent, Anthony said 
the "Internet's capacity to reach literally 
millions of consumers quickly and at a 
low cost through UCE has been seized 
on by fraud operators, who are often 
among the first and most effective at 
exploiting any technological innovation. 

"UCE has become the fraud artist's 
calling card on the Internet," she said. 

Of over 100,000 pieces of UCE the 
FTC staff has reviewed, Anthony said, 
"much of it contains false information 



about the sender, misleading subject 
lines, and extravagant earnings or per- 
formance claims about goods and serv- 
ices. These types of claims are the stock 
in trade of fraudulent schemes." 

Although most bulk UCE burdens 
Internet service providers and frustrates 
recipients, Anthony said the FTC's main 
concern with UCE "is its widespread use 
to disseminate false and misleading 
claims about products and services of- 
fered for sale on the Internet. 

"The Commission believes the pro- 
liferation of deceptive bulk UCE on the 
Internet poses a threat to consumer con- 
fidence in online commerce," Anthony 
said. He added that the FTC earlier this 
year worked with the United States 
Postal Inspection Service, putting more 
than 1,000 junk e-mailers on notice that 
the agencies are monitoring and keep- 
ing track of unsolicited e-mail for 
fraudulent schemes. 

Eileen Harrington associate direc- 
tor of the FTC's Bureau of Consumer 
Protection, said the Commission has 
brought more than 35 federal law en- 
forcement actions to stop fraud and de- 
ception on the Internet, most involving 
"old-fashioned scams". 

As part of its weaponry to combat 
online fraud, Harrington said the FTC 
recently launched Consumer Sentinel, 
the first bi-national, multi-state compu- 
terised consumer fraud database that 
uses the Internet to provide secure ac- 
cess to consumer complaints for over 
1 50 law enforcement organisations 
across the US and Canada. 

Consumer Sentinel contains over 
110,000 complaints, including 23,000 
complaints added just since March 
1998, concerning telemarketing and di- 
rect mail problems, as well as Internet 
fraud, Harrington said. 

The FTC also maintains an e-mail 
box at uce@ftc.gov which receives more 
than 1,500 e-mails a day where consum- 
ers can forward unsolicited commercial 
e-mail they believe may be fraudulent 
or deceptive, she said. 

The FTC recently published three 
new consumer publications about unso- 
licited commercial e-mail, online fraud 
scams and safe Net browsing. These are 
available from the FTC Website at http:/ 
/www. ftc.gov 



New name for Net 
lobby 

The Internet trade and lobby group 
Interactive Services Association has 
been renamed the Internet Alliance. 

"This name change reflects our evo- 
lution towards building an alliance of 
innovators, political and industry lead- 
ers," ISA Executive Director Jeff 
Richards said. "We're advancing our 
mandate to undertake the public policy, 
advocacy and leadership tasks that shape 
the industry landscape." 

Richards said the association's mem- 
bership, consisting of about 85 per cent 
of the consumer-focused online serv- 
ices industry, including America Online, 
AT&T, Bell Atlantic, IBM, Microsoft, 
Netcom, Netscape and Prodigy, will 
speak for the industry in such areas as 
online privacy, unwanted e-mail, taxa- 
tion, encryption, content regulation, 
children's marketing online, Internet se- 
curity, fraud and law enforcement. 

"The emergence of the Internet Al- 
liance signifies that the fastest growing 
industry on the globe is poised to act 
upon its promises and obligations to 
policy makers and constituents," ISA 
Chairman Bill Burrington said. 

Censorship law put on 
hold for talks 

A federal judge in the US has granted 
a civil liberties group a preliminary in- 
junction against a New Mexico Internet 
censorship law. 

The law, Senate Bill 127, was signed 
by New Mexico Gov. Gary Johnson on 
March 9, and would have gone into ef- 
fect July 1 . it carries penalties of up to 
one year in jail, a $1,000 fine, or both, 
makes it a crime to disseminate by com- 
puter material "harmful to minors," when 
that material, "in whole or in part, de- 
picts actual or simulated nudity, sexual 
intercourse or any other sexual con- 
duct." 

The American Civil Liberties Union 
said it would not challenge the "child 
luring" portion of the law, however, 
which targets paedophiles who use the 
Internet to "knowingly and intentionally 
induce a child under 16 years of age" to 



International Journal of Forensic Computing 



July 1998 



engage in sexual contact. 

Although New Mexico Assistant At- 
torney General Steven Bunch told US 
District Court Judge LeRoy Hansen that 
the law was specific in that it applies only 
to direct online communication be- 
tween a minor and an adult, Hansen said 
he was concerned over the effect of the 
law on interstate communications. 

The law, however, while in many re- 
spects is similar to laws already struck 
down as unconstitutional in three states 
and in the US Supreme Court, is one of 
the most restrictive pa sed so far in any 
state, ACLU national i ;aff attorney Ann 
Beeson said. 

Wiretapping deadline 
extended 

The US House of Representatives 
has extended a deadline requiring tel- 
ecommunications companies to give the 
FBI access to the nation's developing 
digital telephone system. 

As part of the Justice Department's 
appropriations bill, the House adopted 
a provision to extend by two years the 
deadline for telecommunications firms 
to comply with the 1994 Communica- 
tions Assistance for Law Enforcement 
Act. The deadline now is October 1, 
2000. 

The FBI's wiretapping scheme grew 
out of the CALEA, which allows the FBI 
to participate in the process of setting 
technical standards for the development 
of the US telecommunications system. 
CALEA also requires telecommunica- 
tions carriers and manufacturers to build 
wiretapping capabilities into the nation's 
telecom infrastructure. 

Under the law, the federal govern- 
ment would have reimbursed the telcos 
up to $500 million to develop the tech- 
nological infrastructure and implement 
the plan by October 24, 1998. 

E-commerce software 
flaw found 

A flaw in a type of e-commerce soft- 
ware protocol could be the key for 
crooks to decode Internet-based trans- 
actions under certain circumstances. 

A researcher at Lucent Technolo- 



gies' Bell Labs unit has discovered that 
a well-equipped hacker can decode "the 
contents of an Internet session protected 
by the standard encryption scheme used 
in most World Wide Web commerce." 

Bell Labs' Daniel Bleichenbacher 
found the problem in secure sockets 
layer (SSL), which is based on technol- 
ogy developed by RSA Data Security Inc. 

E-commerce software companies 
like Netscape Communications, Micro- 
soft, and RSA, have written and are now 
distributing a patch for the problem. 

RSA said that the cracking of the code 
has so far happened only in a lab and not 
in the outside world. In addition, "Due 
to the large number of messages 
needed, the potential attack is detectable 
by network administrators," RSA said. 

RSA's Web site is at http:// 
www.rsa.com. 

Customs tackle abuse 

A bill has been launched in the US to 
help Customs officers catch those who 
get involved in online child exploitation. 

U.S. Rep. Nick Lampson announced 
the move, warning of the threat that can 
lurk within the Internet. 

Lampson said his measure would 
give an additional $2 million to the Cus- 
toms Service's International Child Por- 
nography Investigation and Co-ordina- 
tion Centre, which seeks potential pae- 
dophiles and child smut traffickers. 

During a news conference at the Cus- 
toms Service's north Houston office, a 
computer displayed a sexually explicit 
"chat room," one of thousands that al- 
lows users to communicate anony- 
mously or trade software. 

Customs Special Agent John 
MacKinnon said about three per cent of 
the rooms cater to illegal activity, such 
as luring children into sexual rendezvous 
or the trading of child sex pictures. The 
criminals often use software allowing 
them to lurk in such rooms without their 
identity appearing on screen. 

"Not only do they not want to be 
seen by law enforcement, they remain 
in rooms and avoid conversation while 
they look to identify a child of the age 
and gender they prefer," MacKinnon 
said. "Then they reach out and try to se- 
duce that child." 



MacKinnon said Customs agents 
have arrested 670 people on related 
charges since 1991. 

He said at least one Customs agent 
in each of the service's 20 main offices 
is proficient in computer sleuthing, but 
most of the effort is conducted at his 
office in Washington. 

Because so much child pornography 
flowed into the United States from 
abroad by more traditional smuggling 
means, MacKinnon said Customs has 
been the lead federal agency for decades. 
The service was a natural fit to address 
the move of such material to comput- 
ers, he said. 

Doc admits child porn 

A doctor in the US accused of using 
a medical computer to look at child por- 
nography on the Internet pleaded guilty 
and agreed to undergo therapy. 

Gary Beehler, 37, pleaded guilty to 
modifying the Providence Newberg 
Hospital computer system by installing 
a modem and Internet software without 
permission. 

In exchange, prosecutors agreed to 
drop all other charges against him — 
while limiting Beehler's access to chil- 
dren through his medical practice. 

"The process has been painful, but I 
think it has helped me better understand 
myself and the underlying reasons for 
my sexual disorder," Beehler said at his 
court appearance. 

Judge John L. Collins sentenced 
Beehler to 20 days in the Yamhill County 
Jail. Beehler also must serve five years 
on probation, not use the Internet, and 
complete a treatment program with a 
clinical psychologist. 

Oregon State Police searched the 
hospital computer and discovered more 
than 400 sexually explicit images, many 
involving pre-pubescent boys and pubes- 
cent girls, according to court docu- 
ments. 

During a search of the doctor's 
home, police also discovered a two-way 
mirror that had been installed between 
an office and a child's bedroom and bath- 
room. 

But it did not appear that the hidden 
camera behind the two-way mirror was 
ever used, prosecutor Cal Tichenor said. 



July 1998 



International Journal of Forensic Computing 



Product news 



HP tackles global 
telecoms fraud 

Hewlett-Packard has created a glo- 
bal fraud management-consulting pro- 
gram to help fixed and mobile phone op- 
erators tackle crime. 

The new operation will provide fraud 
audits, business case development, and 
fraud centre consultation and training. 

Mary Chacanias, former director of 
fraud prevention for Bell Atlantic and an 
expert in fraud centre management, has 
joined HP to lead the effort. 

"The formation of HP's fraud man- 
agement consulting program will help 
service providers worldwide take a 
proactive approach to reducing losses 
due to telephone fraud," said Tom White, 
HP's vice president. 

"The program will benefit signifi- 
cantly from the talent and experience of 
Mary Chacanias, who is recognised in- 
ternationally as an expert in communi- 
cations fraud," he explained. 

The new program will build on HP's 
experience in providing network moni- 
toring systems, he said, including the 
capability to detect fraud on a real-time 
basis, which enables service providers 
to take swift action to prevent losses, 
reduce bad debt and catch those who 
misuse the networks. 

Plans call for the program to centre 
on HP's acceSS? system, which offers 
real time network monitoring and data 
collection services to telecommunica- 
tions service providers. 

Under the program, Chacanias and a 
team of trained consultants will analyse 
service providers' current practices, rec- 
ommend process changes, and outline 
measurable results to strive for in main- 
taining a proactive approach to fraud 
management. 

HP's test and measurement opera- 
tions' Web site is located at http:// 
www.tmo.hp.com 

Network Associates 
buys Dr Solomon's 

US firm Network Associates is buy- 
ing UK-based Dr. Solomon's Software 
in a stock-trade deal the two firms val- 
ued at more than $640 million. 



The deal is expected to close within 
the third quarter of this year and is sub- 
ject to approval by Dr. Solomon share- 
holders, the High Court in London, and 
various regulatory reviews. 

Dr. Solomon's holds the top market 
position for antivirus software in the UK 
and several northern European coun- 
tries, while NAI is strong in network 
security and antivirus markets in the US 
and Europe. The company still consid- 
ers McAfee VirusScan its flagship. 

Bill Larson, chairman of Network 
Associates, said the two firms have been 
in talks on and off for the past four years 
about combining their businesses. 

Larson said the keys to finally mak- 
ing a deal was the growing opportunity 
to up-sell corporate owners of Dr. Solo- 
mon's antivirus software into an inte- 
grated NAI network security suite while 
combining customer bases. 

'Tn a year or two we won't be talking 
about antivirus or intrusion detection or 
firewalls as point products," Larson re- 
marked. "We'll be talking about inte- 
grated network security suites as a core 
component of the enterprise." 

Larson said he expects the acquisi- 
tion, which will involve NAI's issuing 
15.4 million new shares, will let NAI go 
head-to-head globally with such huge 
network software vendors as Computer 
Associates and Tivoli. 

Dr. Solomon's anti-virus toolkit will 
continue to be heavily marketed but will 
also become part of Network Associ- 
ates' enterprise security suites, the To- 
tal Virus Defence suite, and Net Tools 
Secure. 

Larson said that, by the end of 1999, 
the two firms' antivirus products would 
be folded together into one. 

@ Meanwhile Network Associ- 
ates has announced big expansion plans 
for the Asia-Pacific market. 

"From a minimal presence in the re- 
gion four months ago, we have increased 
our infrastructure, manpower and sales," 
said James LaLonde, Network Associ- 
ates' director for the Asia-Pacific re- 
gion. "Our newly launched Network As- 
sociates partner program, under which 
we have appointed some of the region's 
best and strongest networking channels, 
gives us added confidence in our ability 



to take market share in the region rap- 
idly." 

The new company has established 
offices in Japan, Australia, Singapore 
and Hong Kong over the last four months 
and has recently opened its first office 
in China, in Beijing. 

Encryption key 
recovery 

US firm Entrust Technologies says 
it has found a solution for businesses 
and groups which need to recover 
encryption keys without third-party key 
escrow. 

The company has announced its abil- 
ity to deliver an Enterprise Key Recov- 
ery solution that allows firms to retain 
full control of their encryption keys to 
protecting valuable information. 

Businesses understand the impor- 
tance ofkey backup as they must be able 
to retrieve encrypted data when users 
lose their decryption keys, forget their 
passwords or leave the organisation. 

If users forget their passwords, En- 
trust's Enterprise Key Recovery feature 
provides system administrators with the 
ability to allow users to recover their 
keys and regain access to encrypted data. 
And Entrust says the Enterprise Key Re- 
covery gives corporations the ability to 
deliver only the relevant decrypted data 
to law enforcement officials or other 
third parties. 

"While the debate over the relevant 
merits ofkey escrow continues, we con- 
tinue to see strong business require- 
ments for Entrust 's Enterprise Key Re- 
covery feature," said John Ryan, presi- 
dent and chief executive officer, Entrust 
Technologies, Inc. 

"Organisations want to retain control 
of their sensitive information and our 
system meets this requirement while 
providing the ability to surrender de- 
crypted data to law enforcement offi- 
cials when necessary." 

Entrust says the system addresses a 
critical business problem while main- 
taining protection for documents signed 
with digital signatures. Entrust software 
provides separate keys for encryption 
and digital signatures, but only includes 
the encryption keys in the key recovery 



International Journal of Forensic Computing 



July 1998 



11 



system. This is designed to ensure that 
users' digital signatures are not compro- 
mised by the key recovery system. 

For more information contact En- 
trust on +1 613 247-3455, e-mail 
carrie.bendzsa@entrust.com or visit the 
Website at www.entrust.com 

Cellular calls can be 
tracked 

SigmaOne Communications Corpo- 
ration announced the first prototype 
demonstration of its -9 1 1 system for 
locating and tracking cellular calls. 

The demonstration is the first sys- 
tem to be deployed in the Southern Cali- 
fornia area in the US to successfully 
prove that a cellular caller can be lo- 
cated and continuously tracked while in 
motion. 

"We are extremely pleased to report 
results that prove the accuracy and ef- 
fectiveness of our E-911 location sys- 
tem," said Mark Licht, president of 
SigmaOne. 

"By locating stationary and mobile 
calls, this is an extremely important step 
in offering law enforcement agencies 
and emergency personnel the best tools 
for locating and responding to emergen- 
cies as they happen. Cellular subscrib- 
ers are now armed with a communica- 
tion device they can rely on at the most 
critical times." 

Its makers say that the demonstration 
of the Southern California network- 
based system shows accuracy results of 
105 meters (345 feet), 67 per cent of 
the time, in both stationary and continu- 
ous tracking tests. 

SigmaOne says this exceeds the FCC 
Phase 2 mandate of 125 meters (410 
feet). The capability to successfully 
track a moving vehicle on the voice 
channel means SigmaOne's technology 
can locate cellular callers in a variety 
of environments. 

Tested in the San Fernando Valley 
area, the demonstration was conducted 
with a mixture of residential and com- 
mercial settings, including two, three 
and four-story buildings. The continu- 
ous, extensive testing of the system in- 
cludes 350,000-location test points per- 
formed to-date with 10,000 new loca- 



tions tested daily. 

And the makers say that as an exam- 
ple of the system's capabilities, the re- 
sults from a sample mobile test run dem- 
onstrated accuracy of 50 meters over 
1,000 test locations and that 99.1 per- 
cent of all test points exceeded the 
FCC's accuracy mandate. 

The company is currently in devel- 
opment of its second generation inte- 
grated AMPS/TDMA system expected 
to be available for testing in the fourth 
quarter of 1998 and a CDMA system in 
the first quarter of 1999. 

SigmaOne's second generation cor- 
relative location technology is a net- 
worked-based system that it is claimed 
will reliably and accurately measure the 
bearing angle of arrival and time differ- 
ence of arrival of incoming cellular 
phone 911 calls. 

Features will include a fully-inte- 
grated base station that will support ei- 
ther AMPS only or AMPS and TDMA 
IS-136 and a capacity to handle 500 lo- 
cations per second per cell. 

For more information contact 
SigmaOne on +1 818 348-3300 or e- 
mail mlicht@pacbell.net 

Green light for scram- 
bling export 

Computer Sentry Software in the US 
has announced that it has been granted 
approval to export advanced encryption 
software to virtually any company in any 
country in the world. 

The US Department of Commerce 
recently authorised the company to ex- 
port its new product, the CyberAngel 
EXR, which offers encryption strengths 
ranging from 56-bit DES to the ultra- 
powerful 448-bit Blowfish. 

"The CyberAngel EXR will allow 
global organisations - anywhere, in any 
industry - to adopt world-wide data 
encryption standards," said Dyrk 
Halstead, CEO of Computer Sentry 
Software. 

"The vast majority of export authori- 
sations granted to US encryption com- 
panies so far have been limited to spe- 
cific countries or industries such as fi- 
nancial services." 

The CyberAngel EXR protects 



stored data - such as files on a laptop or 
PC - and was designed to allow the le- 
gitimate access to that data in the event 
that "keys" or passwords are forgotten 
or unavailable. 

As such, EXR met the requirements 
for exportation under the KMI, Key 
Management Infrastructure, and export 
license exception. 

"The Department of Commerce has 
found a win-win solution for the govern- 
ment and the US software industry with 
Computer Sentry Software's encryption 
product," said William Reinsch, Under- 
secretary of Bureau of Export Admin- 
istration, US Department of Commerce. 

Barry C. Collin, Senior Research Fel- 
low, The Institute for Security and In- 
telligence said, "We believe that the re- 
sponsibility for finding a security sys- 
tem that serves the global needs of cor- 
porations and that satisfies public safety 
is the responsibility of the private sec- 
tor. 

"Computer Sentry Software has 
neatly solved this problem by providing 
plain text data recovery while ensuring 
individual privacy for corporations 
around the world. CyberAngel EXR of- 
fers an impressive breadth of security 
functionality, enabling corporations to 
recover data on specific PCs and laptops 
- without compromising the security of 
the entire enterprise." 

The CyberAngel EXR offers three 
powerful encryption algorithms: 448-bit 
"Blowfish," 128-bit EMD-2 and 56-bit 
DES, the US government's Data 
Encryption Standard. 

Its makers say the CyberAngel EXR 
actively detects unauthorised users on 
both mobile and networked computers 
preventing access to information stored 
on the hard drive as well as on the cor- 
porate network. 

In the event of an unauthorised ac- 
cess attempt, the CyberAngel silently 
alerts either Computer Sentry Soft- 
ware's monitoring headquarters or a cor- 
poration's network administrator, via 
modem or network TCP/IP connection. 

Following an access alarm, regis- 
tered computer owners are notified by 
CSS of the attempted breach within two 
minutes via e-mail or fax. 

For more information contact Com- 
puter Sentry Software on +1 615 790- 



July 1998 



International Journal of Forensic Computing 



8821 ext. 103, e-mail 
brian@sentryinc.com or visit the 
Website at www. sentryinc .com 

New name and new 
security systems 

Cycomm International Inc. has an- 
nounced that its secure computing sub- 
sidiary has a new name and has also 
launched 12 new products. 

Cycomm Secure Solutions Inc, for- 
merly XL Computing Corporation, says 
the new products provide protection 
against the increasing number of cyber 
attacks being made on government and 
business information networks. 

"The risk of information loss due to 
intrusion of the computing infrastruc- 
ture is a grave and growing one," stated 
G.T. Gangemi, President and CEO, 
Cycomm Secure Solutions. 

"The threats range from sabotage of 
data to financial fraud to theft of pro- 
prietary information. Our product intro- 
ductions broaden the arsenal of security 
tools available to organisations such as 
the military, government agencies, and 
financial institutions. 

"In fact, any corporation that relies 
on computers to run their business 
needs to analyse this facet of their com- 
pany's information security program. 

Cycomm Secure Solutions says that 
its line of EMI (ElectroMagnetic Inter- 
ference) and Tempest (the classified 
standard for securing computer equip- 
ment and peripherals products) will ap- 
peal to firms and government agencies 
which rely on top-level security. 

Computers, monitors, keyboards, 
printers and related peripherals produce 
emissions that can be intercepted with 
relatively inexpensive equipment 
through the building structure from vari- 
ous distances. In this regard, it is possi- 
ble to obtain the content being inputted 
or transmitted. 

The new EMI products are commer- 
cial grade and include a 260E Pentium 
II Personal Computer, a 4525E Colour 
Monitor, and a 43 OE ruggedized port- 
able laptop. As exportable EMI prod- 
ucts, they are designed for use by busi- 
ness and governments internationally. 

"The military is concerned, too, 



about protection of the armed forces, 
communications," said Jules Rutstein, 
Vice President of Business Develop- 
ment for Cycomm Secure Solutions. 

"Late last year, a Presidential com- 
mission questioned how prepared the 
United States is against electronic war- 
fare. Cycomm Secure Solutions is ex- 
panding our Tempest-approved compu- 
ter line to help address that. 

"We have the only Tempest version 
of a Compaq DeskPro computer and a 
Tempest version of a Hewlett-Packard 
laser jet printer. This will allow users to 
buy industry standard products for use 
in a classified environment." 

The 3512T and 3522T laser printers 
expand Cycomm Secure Solutions' line 
of Tempest printers. Based on the 
Hewlett-Packard 4000 LaserJet, these 
printers meet the specifications for 
Level I (3512T) and Level II (3522T) 
NSA Tempest criteria. 

Cycomm Secure Solutions is releas- 
ing another model of the only commer- 
cially available NSA-endorsed Tempest 
laptop. The new 425LT has a 200 MHz 
MMX processor with optional upgrade 
to a 233MHz processor and memory 
expandable to 128MB. The 425LT si- 
multaneously supports 1.44MB floppy 
and 20X CD-ROM drives and has 2 se- 
rial ports. 

Other products being announced by 
Cycomm Secure Solutions include the 
430E, a secure, ruggedized laptop. 
Based on a Panasonic CF25, the 430E 
is for tactical secure computing. Addi- 
tionally, two new Zone desktop comput- 
ers, the 215MXA and 215MXB, are be- 
ing introduced. 

For further information, contact 
Laurie Rice, Director of Corporate 
Communications, Cycomm Interna- 
tional, at +1 800-884-8544 or visit the 
Cycomm Website at www.cycomm.com 

Internet filtering and 
monitoring solution 

A system to manage Internet content 
at the workplace has been launched by 
US firm Content Advisor in a bid to cut 
down on system abuse. 

Content Advisor's tool uses trained 
editors to systematically categorise 



URLs and is tightly integrated with the 
leading firewall product from Check 
Point Software Technologies, Ltd. 

The system lets network managers to 
effectively monitor Internet usage 
deemed inappropriate in the workplace, 
control valuable network bandwidth and 
protect against potential legal issues. 

"Now that Internet access is essen- 
tial to business, employers need a reli- 
able and flexible solution to filter and 
monitor Internet usage," comments 
Steve Shannon, president and founder of 
Content Advisor. 

"Our patent pending technology pro- 
duces the best corporate solution by of- 
fering the largest database of catego- 
rised URLs and the most accurate and 
rigorous standard for categorisation to 
be customised according to the specific 
needs of the corporate user." 

For more information contact Lynne 
Christos Taylor on +1 617 520-9116 

• A software company that monitors 
Internet usage says sexually explicit web 
sites are being accessed by employees 
during work hours at nearly two-thirds 
of responding companies. 

Kelly Haggerty, spokesman for 
Elron Software Inc., says the Internet 
Manager program can pinpoint exactly 
which inappropriate sites have been se- 
lected, "It goes down to the specific user 
or work station, depending on how the 
computer is configured." 

Haggerty said that almost one-third 
of companies polled have taken punitive 
action against employees who abuse web 
surfing privileges. 

She said: "We mainly focus on re- 
porting to enforce a particular Internet- 
acceptable usage policy that the com- 
pany or organisation has put into place." 

Rita Risser, an attorney specialising 
in employment law issues, says an em- 
ployee disciplined for viewing sexually 
explicit sites while at work would have 
little recourse. 

She said: "Under the Federal Elec- 
tronic Communications Privacy Act, 
employers have the absolute right to 
monitor employees' Internet and e-mail 
type uses. There is no right to privacy." 

The program is available on the Web 
at http://www.mailjail.com for $19.95, 
or on a CD for $29.95 plus shipping. 



International Journal of Forensic Computing 



July 1998 



Fake software ring smashed 



A software theft ring involving al- 
most $20 million worth of Microsoft 
computer software disks is almost 
closed after seven people were charged 
in the US. 

The five men and two women, all 
residents of Massachusetts, were in- 
dicted in federal court with conspiring 
to transport stolen computer disks and 
computer software in interstate com- 
merce from December, 1995, until De- 
cember, 1997. 

All of the defendants except one also 
are charged with 16 counts of transport- 
ing specific shipmer, s of stolen com- 
puter disks in interstate commerce. 

The disks originally had been stolen 
from Kao Infosystems Co., a computer 
disk manufacturer and distributor lo- 
cated in Plymouth, Massachusetts, by 
three warehouse employees. 

Two of the warehouse employees - 
Scott J. Dooley, 29, of Hyannis, Massa- 
chusetts, and Kelly Downing, 27, of Ply- 
mouth, Massachusetts - pleaded guilty 
to a one-count indictment charging they 
conspired to steal more than $25 mil- 
lion worth of computer disks and soft- 
ware from Kao Infosystems. 

The indictment also charged them 
with conspiracy to transport millions of 
dollars worth of stolen computer disks 
and related merchandise in interstate 
commerce, US Attorney Donald K. 
Stern said. 

The third employee - John J. 
Costello, 36, of Marshfield, Massachu- 
setts - pled guilty to one count of con- 
spiracy to transport the disks. 

In the most recent round of indict- 
ments, Robert S. Simons, 61, of 
Peabody, Maxine S. Simons, 58, of 
Peabody, William A. Simons, 34, of 
Salem, Sherri L. Craig, 35, of Maiden, 
David F. LaPointe, 34, ofHyannis, Marc 
L. Rosengard, 44, of Salem and Dover, 
New Hampshire, and Gerald P. Coviello, 
61, of Woburn, appeared in US District 
Court to answer charges contained in a 
33-count second superseding indict- 
ment, Special Agent in Charge of the FBI 
Barry W. Mawn said. 

Three of the defendants - Robert and 
Maxine Simons, and Craig - were 
charged with a separate conspiracy to 
launder the proceeds of the various sales 
of stolen property, and with eleven 



counts of money laundering. 

LaPointe and Maxine Simons also 
were charged in three counts with struc- 
turing various transactions in order to 
conceal the sale and purchase of the sto- 
len property, and Maxine Simons also 
was charged with making false state- 
ments to the FBI during the investiga- 
tion of the case. 

US Attorney spokeswoman Amy 
Rindskopf said the indictment charged 
LaPointe with selling the stolen com- 
puter products to Crazy Bob's, a dis- 
count computer software and hardware 
store in Wakefield and operated by 
Robert and Maxine Simons. 

The stolen property included "sub- 
stantial amounts" of the Microsoft CD- 
ROMs stolen from Kao Infosystems. 

After receiving a number of ship- 
ments of stolen property, the indictment 
charged that Crazy Bob's sold the disks 
to various CD-ROM outlets in Califor- 
nia and the UK. 

Robert Simons and Coviello also 
tried to sell 8,000 stolen Microsoft Of- 
fice 97 Professional disks last fall to a 
buyer from North Carolina for 
$245,000, the indictment charged. 

As Coviello attempted to transfer the 
disks and collect the money from the 
North Carolina buyer, he was placed un- 
der arrest by the FBI, Mawn said, while 
Simons was arrested at Crazy Bob's of- 
fice in Wakefield. 

Rindskopf said that, if convicted, 
each of the defendants face penalties of 
up to five years in jail and a $250,000 
fine on the conspiracy count. 

Robert, Maxine and William Simons, 
as well as Craig, LaPointe and 
Rosengard also each face additional pen- 
alties of up to ten years in prison on each 
of the 16 counts charging interstate 
transportation of stolen property. 

Robert and Maxine Simons and Craig 
each face additional penalties of up to 
20 years in prison and a $500,000 fine, 
on each of the 11 counts. 

The indictment also seeks forfeiture 
of the defendants' bank accounts and of 
$462,000, due to money laundering 
charges. 

The Kao warehouse employees - 
Dooley, Downing and Costello - have 
stolen "tens of thousands" of recordable 
compact disks, computer disks contain- 



ing Microsoft software, and other com- 
puter merchandise, Rindskopf said, 
while Dooley and Downing also stole 
more than 23,000 Microsoft Office 97 
Professional software disks, which they 
later sold for profit. 

According to the charges against 
Dooley and Downing, they also tried to 
sell a second shipment of the stolen 
disks, worth over $10 million, includ- 
ing an additional 1 8,000 Microsoft Of- 
fice 97 Professional disks, to a buyer 
from New York. 

Unknown to the defendants, how- 
ever, the buyer from New York was an 
undercover agent with the FBI, who had 
been introduced to the defendants by one 
of their co-workers at Kao, Mawn, said. 

On March 22, 1997, after final ar- 
rangements had been made for the sale 
of the $10 million shipment to the New 
York buyer, the three defendants were 
arrested on a federal warrant, Mawn said, 
and the $ 1 0 million shipment was recov- 
ered from a storage facility in Plymouth. 

• The FBI and the US Attorney's 
Office for Indiana arrested a number of 
alleged software pirates in a series of 
fast-paced raids at a computer fair. 

The raids came after a five-month in- 
vestigation into individuals accused of 
illegally making and selling CD-ROM 
compilations and counterfeits of a 
number of software packages, worth 
millions at real prices. 

During the raid at the MarketPro 
Computer Show at the Indianapolis fair- 
grounds, which was co-ordinated with a 
parallel raid in Radcliff, Kentucky, FBI 
agents seized counterfeit software, un- 
bundled software and computer hard- 
ware, including CD-ROM duplicating 
equipment, and financial records. 

California-based software firm 
Autodesk initially alerted the FBI to the 
alleged counterfeit operation as a result 
of its own investigation following a call 
to its anti-piracy hotline. 

The suspects allegedly sold counter- 
feit copies of AutoCad Release 14, nor- 
mally a $3,750 product, on CDs with- 
out documentation for $75, as well as a 
CD compilation with more than $3,500 
worth of Adobe software for $60. 

The Software Publishes Association 
has a hotline on +1 800-388-7478. 



July 1998 



International Journal of Forensic Computing 



Nuclear hackers 



Members of the MilwOrm hacking 
group claim to have broken into the com- 
puter network of a nuclear research fa- 
cility in India. 

The group, which calls itself 
MilwOrm, said it accessed e-mail mes- 
sages sent between nuclear scientists 
and Israeli government officials, as well 
as a list of planned nuclear projects and 
other files related to India's nuclear re- 
search program. 

Members of the group, who use the 
online aliases of'JF," "Hamstor," "Key- 
stroke," "savecore," "Venomous" and 
"ExtreemUK," said some of the files 
they copied belonged to a group of ex- 
periments called the Neutron-Gamma 
Coincidence Studies. 

They said they broke into the Bhadha 
Atomic Research Centre (BARC) to 
protest about the Indian nuclear testing. 

"It seems the Indians don't have the 
(security) technology to protect the (nu- 
clear) technology they have," a source 
close to the MilwOrm group said. 

"It's ironic that India has weapons 
capable of destroying the world, but they 
can't secure a little web server which is 
connected to their networks," one of the 
hackers, called Keystroke, said in an In- 
ternet relay chat with John Vranesevich, 
founder of the Anti Online Web site at 
http : //www, ant ion line . org. 

"We have information on their weap- 
ons, their test projectories (sic), every- 
thing, and we are doing this from all over 
the world," another MilwOrm hacker, JF, 
said. "They are not secure, MilwOrm are 
beating them, this shouldn't be happen- 
ing" 

The group broke into BARC's local 
area network through its Web site at 
http : //www. bare . ernet . in which was con- 
nected to the LAN, Vranesevich said. 
"There was a firewall, but it wasn't 
configured properly and MilwOrm man- 
aged to bypass it," he said. 

The group was able to access e-mail 
between the BARC scientists, as well as 
a list of planned nuclear projects and 
other files related to India's nuclear re- 
search program. 

One piece of e-mail retrieved by the 
group detailed a conversation about in- 
creasing the yield of gamma rays in 
Pml41, an isotope of the rare earth el- 
ement Promethium. 



"The slight increase in the yield of 
882 (keV gamma ray) in our alpha data 
could be accepted because at lower en- 
ergy, the population of the isomer may 
be more which stabilises after some 
threshold energy of the projectile," the 
e-mail said. 

After being shown the information, 
scientists of the University of Tokyo's 
Institute for Nuclear Studies said it had 
nothing to do with weapons but that it 
did contain "pretty advanced nuclear 
physics." 

The group said it is "still contemplat- 
ing" what to do with the information they 
hacked, "but we securely have it locked 
away and we will be keeping this posi- 
tion until further events unfold." 

"We could use it in a very serious 
case of international terrorism and sell 
the information," they said, "but as we 
are not interested in causing world trou- 
ble (he he) we will hold onto it." 

MilwOrm also changed BARC's 
Web page into an anti-nuclear tirade. 

"It just goes to show that T\fo' infor- 
mation is safe, the group said. This is a 



highly classified and highly sensitive is- 
sue, the recent tests show that it is no 
laughing matter." 

Officials at BARC confirmed their 
computer network was infiltrated and 
that e-mail was accessed, but denied the 
breach had been serious. 

"It's all taken care of, there's noth- 
ing to worry about," an official said. He 
confirmed the claims of the group of 
hackers calling themselves "MilwOrm" 
who said they managed to breach net- 
work security at BARC, change the Web 
home page and download five megabytes 
worth of e-mail and data. 

"It's a very normal loophole in 
sendmail," the official said. Sendmail is 
defacto Internet standard software for 
running electronic mail systems. 

"Definitely, there was some problem 
with sendmail, they were using an old 
version," he added before refusing to 
comment any further. 

Sendmail has been the object of 
many security attacks in the past and 
most security-conscious users have ad- 
dressed the loopholes uncovered and 




International Journal of Forensic Computing 



July 1998 



documented over the years. 

It is unlikely that the sendmail soft- 
ware at BARC had been updated with the 
latest security measures. 

A second group of hackers also at- 
tacked the BARC Web site. As opposed 
to the MilwOrm group, which attacked 
the network and accessed files, the sec- 
ond group replaced the home page with 
a simple message under the title "Just 
Say No." 

"Nuclear Tests in India. This page has 
been hacked in protest of a nuclear race 
between India, Pakist n and China. It is 
the world's concern hat such actions 
must be put to end since, nobody wants 
yet another world war. 

"I hope you understand that our in- 
tentions were good, thus no damage has 
been done to this system. No files have 
been copied or deleted, and main file has 
been just renamed," the Web page read. 

Chairman of the Atomic Energy 
Commission, R Chidambaram, has de- 
nied that any of the hackers had gained 
access to sensitive information of any 
kind from the classified servers. 

Chidambaram said that the hackers 
could access only the BARC home page, 
which was in the public domain, and 
some of the e-mail messages. 

"The computers used for these are 
isolated from all other computers be- 
ing used at the BARC and obviously did 
not contain any sensitive information," 
he said. 

Dr. Dekne, senior scientist at the 
BARC confirmed that there was no criti- 
cal data that was wiped out from the 
BARC computer server simply because 
the centre physically isolates sensitive 
data from the Web and e-mail servers 
which are prone to such attacks. 

He said: "We have several levels of 
isolation before reaching our internal 
network." He added that formulas and 
cascading mathematical equations are 
usual in e-mails among nuclear scien- 
tists. 

While the incident may have involved 
only non-sensitive information, it may 
have helped to alert India's network man- 
agers about the importance of security, 
said Dr. S. Ramakrishnan, director of 
ERNET (Education & Research Net- 
work), India's first Internet service pro- 
vider to which BARC is connected. 



"Recent access by hackers has been 
only to e-mail messages of scientists 
and BARC home page information, and 
the connections for these are isolated 
from all other computers used at BARC 
and obviously do not contain any sensi- 
tive information," said S. Narendra, prin- 
cipal spokesman for the Indian govern- 
ment. 

Meanwhile, the MilWOrm group, 
made up of of about a half dozen teens, 
aged 15 to 18, from around the world, 
says it has gained access to servers in a 
Turkish nuclear research facility. 

According to John Vranesevich, 
founder of antionline.org, the teenage 
intruders gained access to the Cekmece 
Nuclear Research and Training Centre 
in Istanbul and retrieved hundreds of 
pages of memos and e-mail from scien- 
tists, including conversations between 
Turkish nuclear scientists and the Inter- 
national Atomic Energy Agency (IAEA). 

The MilWOrm group, Vranesevich 
said, also apparently had assistance in 
accessing the Turkish facility from a sec- 
ond "hackgroup," which also has turned 
over "proof that they also gained ac- 
cess to servers in Iran, Israel and Latvia. 

But like the information retrieved 
from BARC, none of the information 



stolen from the Turkish research centre 
appears to be directly related to nuclear 
weapons research. 

There do appear to be several 
encrypted documents downloaded from 
the Turkish facility, Vranesevich said. 

Since the story first broke about 
MilWOrm 's penetration into the Indian 
nuclear research centre, the group, with 
members from the US, the UK, Israel 
and New Zealand, have also claimed they 
are attempting to infiltrate nuclear re- 
search sites in Pakistan as well. 

But according to one Pakistani 
source, it would be difficult for any 
group to infiltrate the Pakistani centres. 

"Neither Pakistan Atomic Energy 
Commission, nor Kahuta Research 
Laboratories (Uranium enrichment 
plant site and research centre) have loop- 
holes for external Internet hackers to log 
in," Rashida Shaikh said. 

"Computer systems installed there 
for nuclear computation and information 
systems purpose are disconnected from 
Internet service. 

"Even different remote computer 
centres are not on WAN (wide area net- 
work), except a few. So hackers who log 
in planning to log in using Internet con- 
nectivity are just wasting their time." 



Hacking across the world in seconds 



The MilWOrm group said they 
accessed the BARC computers 
through a series of "hacks," start- 
ing by a telnet out of their indi- 
vidual computers to a Wingate* 

The Wingate software is used by 
hackers as jump points without fear 
of being logged, they said,, 

The group then did a telnet to a 
NASA Jet Propulsion Laboratory 
(JPL) server at 

tartaruSojplnasa.gov, which served 
as the "dead end 95 point, or the last 
place someone can retrace the hack- 
ers tracks. 

From the JPL server, the group 
then went to a US Navy server via 
telnet at yokipc.navy.mil, then to the 
US Dental Command Centre at 
dencom.army.miL 

)rm thee reportedly used 



the Dental Command Centre site as 
a jump point to India and the BARC 
system. The group was then able to 
access e-mail between the BARC 
scientists, as well as a list of 
planned nuclear projects and other 
files related to India's nuclear re- 
search program. 

A US Army spokesman con- 
firmed that uoauthoiised sources 
did break into a US Army compu- 
ter system last week, but declined 
to speculate whether that was the 
route MilWOrm took to gain access 
to the Indian facility. 

The incident, however, is being 
investigated by both the US Army 
and FBI Army spokesman Gerry 
Gilmore said. He added that the 
dencom site was immediately shut 
down, and has since been secured. 



July 1998 



International Journal of Forensic Computing 



UK DERA porn scandal 



The Journal has helped un- 
cover one of the biggest Inter- 
net pornography scandals in the 
UK. Paul Johnson reports. 

Workers at a Ministry of Defence 
research laboratory downloaded more 
than 170,000 pornographic images in 
just three weeks. Many of the pictures 
involved young children or animals. 

Details of explicit and illegal images 
were revealed during the trial of a com- 
puter engineer who worked at the De- 
fence Evaluation Research Agency in 
Malvern, Worcestershire. 

Paul Roper, 35, was acquitted at 
Droitwich magistrates court on all eight 
counts of possessing indecent compu- 
ter photographs after a five-day hearing. 

MoD investigators were astonished 
at the sheer amount of pornography at 
the Malvern DERA site - an agency re- 
sponsible for developing battlefield 
technology for Britain's armed forces. 

The investigators found that a key 
computer server, which was intended to 
help scientists swap information or con- 
duct Internet research, had spent most 
of its time downloading and distribut- 
ing the pornography images. 

Although Mr Roper, a network engi- 
neer, was found not guilty, evidence 
given during the hearing showed the ex- 
tent and scale of computer misuse by 
workers at the DERA. 

The court was told that any of 3,500 
users of a sophisticated government 
computer system, mostly civil servants, 
could log on and access vast quantities 
of pornographic material without re- 
strictions. And the trial heard that a spe- 
cial program called Sucker had been 
used, which automatically retrieves 
thousands of pictures from the Internet 
while the operator is left free to carry 
on with other day-to-day computer work. 

Records show that during the course 
of just three weeks in January and Feb- 
ruary last year, one user alone 
downloaded more than 30,000 pictures 
from Internet newsgroups - areas in 
cyberspace where people can swap in- 
formation, computer programs or pic- 
tures with each other. 

In one case, 10,045 images were 
taken from a newsgroup called 
"erotica.teen.female" and another 2,868 



pictures were retrieved from one called 
"erotica. young". Other newsgroups 
where pictures were downloaded in- 
clude those entitled "lolita", "school- 
girls", "pre-teen" "rape", "pedophilia" 
"torture", "bestiality" and "incest". 

Although the computer system is 
based in Malvern, it is linked to dozens 
of other military and government sites 
across the country using high-speed con- 
nections and ISDN lines. 

Forensic computer expert Jim Bates, 
technical director of Computer Foren- 
sics Ltd, gave evidence in court for the 
defence and had made an independent in- 
vestigation of the material stored on the 
DERA computers, including the central 
server system which acted as a hub to 
other satellite computers. 

He told the court that he found thou- 
sands of suspect files on the computer 
server and said that a large amount of 
the system's time was spent on distrib- 
uting pornography. 

Mr Bates said: "A preliminary analy- 
sis of the log indicates that around 60 
per cent of callers were accessing the 
pornographic newsgroups and around 90 
per cent of the active server time was 
spent on transferring pornographic arti- 
cles. 

"The concept of an unrestricted net- 
work available to anyone, from any com- 
puter sounds fine in theory. However, 
given that such provocative material and 
intriguing material was available at the 
push of a button it is not surprising that 
this problem developed to such alarm- 
ing proportions." 

He added: "The configuration of the 
network at Malvern and its associated 
sites was apparently self-designed and 
self-administered and it seems that lit- 
tle attention was paid to access secu- 
rity." 

And Mr Bates said that even when 
MoD investigators moved in after the 
allegations came to light, computer por- 
nography was still being retrieved. 

He said: "Even after the 24 th of Janu- 
ary, when presumably most personnel 
either knew directly or had heard that an 
inquiry was being made, pornographic 
material was still being downloaded 
from the server in large quantities. 

"Thus in spite of the seriousness of 
the situation, no attempt was apparently 



made to cut off the supply of this mate- 
rial at the source." 

The court heard that Mr Roper had 
even brought the huge amount of por- 
nography to the attention of managers, 
but with little consequence. 

Paul Roper, from Malvern, was 
cleared of the pornography charges af- 
ter the court heard that evidence had 
been accidentally corrupted by DERA 
managers and MoD police during initial 
investigations and that the correct foren- 
sic procedures had not been followed. 

Mr Bates told the court: "The actions 
of management and security personnel 
has compromised and contaminated the 
evidence that I have seen in this case. 

"These people should certainly have 
realised that the best course of action 
was to isolate and switch of the relevant 
machines pending expert attention. They 
should have known better and the result 
of their activity has been to obscure an 
already complex case." 

Mr Bates added that although a large 
quantity of computer pornography had 
been found, it could not be directly 
linked with Roper as his machine could 
be used by anyone who entered the 
room. 

He said: "Access could be gained 
through the computer by simply switch- 
ing it on and pressing the enter key when 
asked for a password. Thereafter, access 
to the server and the whole of the Inter- 
net was just as free." 

After the case, a spokesman for the 
Defence Evaluation Research Agency, 
part of the M inistry of Defence, said ac- 
tion was taken when employees were 
found to be misusing the computers. 

He said: "It's a disciplinary offence 
to download material from the Internet 
that is not related to work on a work 
computer in work time. We take it very 
seriously. We have made it quite clear 
that accessing this sort of material in 
government time and on government 
property is not allowed." 

He added: "Ninety per cent of our 
work is military science and technology 
based. There is a lot of material on the 
Internet and our scientists need to use it 
on a regular basis." 

Next month the Journal examines 
the problems in the forensic investi- 
gation of the Roper case. 



International Journal of Forensic Computing 



July 1998 



17 



UK evidence guidelines 



ACPO Good Practice Guide - computer based evidence 



The Association of Chief Po- 
lice Officers in the United King- 
dom (ACPO) has recently issued 
guidelines to police officers deal- 
ing with the correct procedures 
to be used when encountering 
computer equipment which is be- 
lieved to contain evidence of 
criminal activity. 

Background 

The background to the production of 
this document which is believed to be 
the first giving such guidance on a na- 
tional basis is that the involvement of 
the police in computer crime can be di- 
vided into two distinct areas, namely 
computer crime investigation and com- 
puter forensics. 

There has been and still remains 
much confusion amongst those not in- 
volved on a daily basis with either or both 
of these disciplines, of the differences 
and the relevance of the distinction be- 
tween the two. 

The police service as a whole, his- 





torically did not comprehend the nature 
of computer-based evidence and the dif- 
ficulties created by the international na- 
ture of computer crime. 

The Association of Chief Police Of- 
ficers in 1996 identified a need to be 
advised on matters relating to computer 
crime and computer forensics. They in- 
structed that a working group be formed 
to carry out this function. 

As a result of this need, the policing 
regions of England and Wales made 
nominations and appointments were 
made to the group. There have been ad- 
ditions since then and there are now 
some 19 members. 

The current chairman is Detective 
Chief Superintendent Keith Akerman, 
the head of Hampshire CID. 

It is fair to say that the group is made 
up of practitioners rather than manag- 
ers and most if not all of the members 
have experience in computer crime in- 
vestigation, compu- 
ter forensics or 
both. 

Membership of 
the group is made 
up of the following 
organisations: 

• All ACPO 
Regions Including 
N Ireland 

•ACPO 
(Scotland) 

• National Po- 
lice Training 

• National 
Crime Faculty 

• Home Of- 
fice Police Infor- 
mation Technology 
Office (PITO) 

• Forensic Sci- 
ence Service 

• National 



Crime Squad 

• MOD Police 

• Police members of the Joint- 
Agency Forensic Computing Group 

The Group first met in August 1996 
with the following terms of reference: 

To provide advice and guidance to 
ACPO Crime Committee on the follow- 
ing subjects: 

The Investigation of Computer Misuse 
Act Offences 

Generally the hacking type of of- 
fences that the Metropolitan Police 
Computer Crime Unit (CCU) have tra- 
ditionally dealt with on behalf of the rest 
of the country 

Crimes on the Internet 

The main publicity about crime on 
the Internet relates to the distribution of 
paedophile material but as we know, 
there are many other crimes that may be 
committed using the Internet as a vehi- 
cle and we have recognised that co-op- 
eration with the Internet Service Pro- 
vider (ISP) industry is essential. 

To this end a combined ACPO/ISP 
forum has been created to work towards 
a memorandum of understanding be- 
tween the parties. 

Computer Based Pornography 

Work has been carried out into the 
role of the Internet Watch Foundation 
(IWF). A further area of concern is the 
effect on staff of continually viewing 
pornographic and paedophile images and 
an examination of scientific selective 
sampling is taking place 

Technology relating to Theft of 
Hardware 

This area was included in our remit 
but realistically is a different type of 
crime than the others included in the re- 
sponsibilities of the group. 

Computer Based Evidence 

This is the area of responsibility that 
has resulted in the production of the 



July 1998 



International Journal of Forensic Computing 



ACPO guide. 

Counterfeit and Pirate Software 

We are charged with looking at the 
relationship between the police and in- 
dustry organisations and establishing 
what the police response should be to 
software piracy. Work is proceeding to- 
wards a memorandum of understanding 
between the parties. 

Training Implications 

A very important aspect of our work 
is to identify any training issues that 
arise from our other work. To date all 
work carried out has identified areas of 
training need and a recently formed 
training sub group is addressing these. 

ACPO Good Practice Guide 
Computer Based Evidence 

Background 

A survey of police forces revealed 
there were various practices used in re- 
lation to the recovery of evidence from 
computers. 

Concern had been expressed that 
some of these were bad practice and li- 
able to lead to the acquittal of criminals 
if not rectified. 

It was also acknowledged that a great 
deal of good work had been carried out 
by some police forces. In an attempt to 
harness this and ensure that everyone 
benefited, a sub group of 4 people was 
set up in July 1997 with a remit to pro- 
duce a good practice guide for compu- 
ter based evidence which as an ACPO 
document would encourage standardisa- 
tion of procedures in UK police forces. 

Consultation with other agencies and 
industry took place as appropriate. Views 
and contributions were invited from in- 
terested parties and a number of meet- 
ings were held. 

We decided that it would be impos- 
sible to deal with all of the issues in- 
volved in computer forensics in one 
document. It was our view that the rea- 
sons for the failure of others to produce 
a good practice guide in the past was that 
other publications have sought to do too 
much and have ended up not achieving 
their aim. 

A draft document was tested in De- 




cember 1997 by visiting officers in- 
volved in computer forensics and allow- 
ing them as practitioners to follow the 
guide through. 

Other groups were invited to com- 
ment upon the content of the guide. 
These included the two main suppliers 
of equipment to the police to see if the 
guide created difficulties for those prod- 
ucts. 

Some minor amendments were made 
and the document was presented to the 
Computer Crime Group on 8th January 
1998 and submitted for approval to 
ACPO. 

The document was placed before the 
ACPO Crime Committee meeting in 
Cardiff on 26 th March 1998 and was ap- 
proved for circulation to all Chief Con- 
stables in England and Wales. 

The Principles 

There are five basic principles which 
underpin the message given in the guide 
and these are based on the requirement 
to ensure that any evidence recovered 
from computers is as admissible in a 
court of law as would be documentary 
evidence. 

The Doctrine of Documentary evi- 
dence may be explained as:- 

"The onus is on the prosecution to 
show to the Court that the evidence pro- 
duced is no more and no less now than 



when it was first taken into the posses- 
sion of police." 

Data held on a computer is no dif- 
ferent to information or text contained 
on a document. For this reason evidence 
that is based on a computer or on com- 
puter media is subject to the same rules 
and laws that apply to documentary evi- 
dence. 

The principles set out in the docu- 
ment are given as guidance for all po- 
lice forces when dealing with computer 
based evidence and are as follows: 

1. No action taken by Police or 
their agents should change data held 
on a computer or other media which 
may subsequently be relied upon in 
Court 

The fundamental issue is one of in- 
tegrity and acceptability of data stored 
on a computer or associated media. The 
first principle is therefore deliberately 
specific. 

2. In exceptional circum- 
stances where a person finds it nec- 
essary to access original data held on 
a target computer that person must 
be competent to do so and to give evi- 
dence explaining the relevance and 
the implications of their actions. 

In a minority of cases it may not be 
possible to obtain an exact copy of the 



International Journal of Forensic Computing 



July 1998 



19 



entire target device. In these circum- 
stances it may become necessary for the 
original machine to be accessed to re- 
cover the evidence. With this in mind it 
is essential that any such access is made 
by a person who is competent to carry 
out the function and give evidence ex- 
plaining the effect of what they have 
done to a Court of Law. The second prin- 
ciple acknowledges this. 

3. An audit trail or other 
record of all processes applied to 
computer based evf mce should be 
created and preserv An independ- 
ent third party should be able to re- 
peat those processes and achieve the 
same result. 

There are a number of reasons why 
an audit trail is important to ensure that 
the recovered data stands the best chance 
of being accepted in evidence. 

As we know operating systems and 
other programs frequently alter and add 
to the contents of the computer's stor- 
age space. This can happen automatically 
without the user necessarily being aware 
that the data has been changed. 

An audit trail of the processes will 
assist and is considered essential. In or- 
der to comply with the principles of 
computer based evidence a copy should 
be made of the entire target device. 

Partial or selective file copying 
should not be readily considered as an 
alternative. The copy or copies should 
be made onto media, which should be 
retained for examination and subsequent 
Court use. 

It is essential to objectively show to 
a Court that the continuity and integrity 
of the evidence has been preserved. It is 
necessary to demonstrate to the Court 
how evidence has been recovered show- 
ing each process through which the evi- 
dence was obtained. Evidence should be 
preserved to an extent that a third party 
is able to repeat the same process and 
arrive at the same result as that presented 
to a Court. 

4. The onus rests with the Of- 
ficer in charge of the case to ensure 
compliance with any law pertaining 
to the possession of, or access to, in- 
formation contained on a computer. 

The officer must be satisfied that the 



use of any copying device or actions of 
any person having access to the compu- 
ter complies with these laws. 

5. The onus of ensuring that 
these principles are adhered to and 
that the evidence is admissible rests 
with the Officer in charge of the case. 

The officer must be satisfied that the 
use of any copying device or actions of 
any person having access to the compu- 
ter complies with these principles. 




Both principles 4 and 5 are included 
to remind colleagues that responsibil- 
ity for ensuring that the law and the prin- 
ciples set out in this guide are complied 
with lies firmly with the Investigating 
Officer. 

He or she cannot abdicate responsi- 
bility for their own investigations by 
leaving either in house specialised staff 
or external consulting witnesses to 
make decisions on their own, without the 
investigator considering the implica- 
tions. 

Compliance with the principles will 
ensure that the continuity and integrity 
of the evidence will be preserved. We 
do not believe that it is to difficult to 
comply with these principles, even for 
forces who have not set up specific units 



to deal with computer based evidence. 
Purpose of the guide 

The document is intended for use by 
the Police Service as a guide for good 
practice when dealing with computers in 
the possession of a suspect. It is not in- 
tended as a guide for Officers dealing 
with evidence produced by witnesses 
from third party computer systems. It is 
intended for use by personnel in specific 
circumstances, namely: 

Officers discovering computer equip- 
ment 

Advice is given on securing, seizing 
and transportation of computer equip- 
ment from search scenes, with a view to 
recovering computer based evidence. 
These are simply described as: 

• What to do 

• What not to do 

• • What should be taken? 

• How to take it 

• How to pack it 

• How to transport it 

• Where and how to store it 

The advice given to persons discov- 
ering equipment to be seized is very sim- 
ple and relates to the subjects above. 
There is no attempt to reinvent the wheel 
and many of the things that are seen in 
the guide are already accepted practice 
in most police forces. In fact the more 
of the practices that are recognised by 
readers of the guide as being practice in 
their organisation the better. 

Investigating Officers 

Advice is given in relation to the 
planning and management by investigat- 
ing officers of the recovery, identifica- 
tion, production in court and storage of 
computer based evidence. Again the ad- 
vice falls into the following simple cat- 
egories: 

• Pre search considerations 
o Identification of equipment 

• What should you take? 

• Who should you take? 

• Ensure adequate briefing of 
staff 



July 1998 



International Journal of Forensic Computing 



• Detail records to be kept 

• Interview strategy 

© Retention of equipment 

This section of the guide is not in- 
tended to be seen as teaching experi- 
enced investigators to suck eggs. 

It is an attempt to encourage them to 
realise that the issue of obtaining and 
using evidence from computers requires 
as much planning as any other part of 
their enquiries. 

The subjects here are dealt with in 
the guide and it is, I would suggest, far 
better for an investigator to be in pos- 
session of the knowledge to consider 
these as part of his investigative strat- 
egy rather than deal with them on the 
hoof. 

Computer evidence recovery personnel 
Copying and reproduction of seized 
computer based evidence, by personnel 
who are trained to carry out the func- 
tion and have the relevant experience to 
give evidence in court of their actions. 

Persons who have not received the 
appropriate training and are not able to 
comply with the principles must not 
carry out this category of activity. 
The areas covered by the section are: 

• IBM compatibles 

• Non IBM compatibles 

• Hard Disks 

• Floppy Disks 

• Magnetic Tapes 

• Removable Media 

I will stress again that this section 
of the guide is aimed at experienced and 
trained personnel and is not to be seen 
by keen amateurs as authorising them to 
undertake computer forensic work. 

The guide gives general advice on 
how the listed items may be dealt with 
effectively. 

One of the things we have recognised 
as a group is that there is a need for a 
manual for evidence recovery person- 
nel and a sub group has been formed to 
produce this. 

External consulting witnesses 

Advice is given on the selection and 



management of persons who may be re- 
quired by investigating officers to assist 
in the seizure, recovery, identification 
and interpretation of computer based 
evidence. Specific guidance is neces- 
sary in this area in order to ensure that 
investigators who have little technical 
knowledge do not use inappropriate peo- 
ple. 

The following areas are included for 
consideration by investigators: 

Specialist Expertise 
This is the skill or competence to do 
a particular job 

• What are the relevant qualifica- 
tions? 

• How skilful is the person at this 
particular job? 

• What is the specific skill? 

• Is it based on technical qualifi- 
cations or length of experi- 
ence? 

Specialist Experience 

• What experience of this type of 
work has the individual? 

• How many cases? 

• What type of cases? 

• How long has the individual 
been working in this area? 

• What proof is there of this ex- 
perience? 

Investigative Knowledge 

Understanding the nature of investi- 
gations in terms of PACE, confidential- 
ity, relevance and the distinction be- 
tween: 

• Information 

• Intelligence 

• Evidence 

Contextual Knowledge 

Understanding the different ap- 
proaches, language, philosophies, prac- 
tices and roles of: 

• Police 

• Law 

• Science 



Fundamental to this is the under- 
standing of probability in its broadest 
sense and differences between scien- 
tific proof and legal proof. 

Legal Knowledge 

Understanding of relevant aspects of 
law, legal concepts and procedures in 
relation to: 

• Statements 

• Continuity 

• Court Procedures 

Clear understanding of the roles and 
responsibilities of expert witnesses is 
essential. 

Communication Skills 

The ability to express and explain in 
layman's terms, both orally and in writ- 
ing: 

• Nature of specialism. 

• Techniques and equipment used 

• Methods of interpretation 

• Strengths and weaknesses of 
evidence 

• Alternative explanations 

It is considered that all external con- 
sulting witnesses should be provided 
with a contract to ensure that they re- 
ceive the protection afforded by Section 
10 of the Computer Misuse Act 1990 
to police officers. 

It is recognised that the guide is not 
a definitive manual. It is intended to ad- 
dress the most common circumstances 
that will be encountered with evidence 
retrieved from computers. 

Conclusions 

The challenges facing the police in 
the areas of computer crime and com- 
puter forensics are beginning to be met 
now that there is national and interna- 
tional pressure for positive action to be 
taken. 

The following principles were set out 
by the G8 Government Ministers meet- 
ing on 12 th December and are therefore 
considered as a standard for countries 
to aim to meet. I have highlighted one 
of the principles that is particularly rel- 
evant when considering the ACPO guide. 



International Journal of Forensic Computing 



July 1998 



21 



Forensic Q&A 



G8 Ministers Principles: 

• No safe havens for IT criminals 

• Co-ordination of IT crime in- 
vestigation and prosecution 

• Properly trained & equipped 
personnel to address IT crime 

• Legal systems must protect 
systems from serious abuse 

• Legal systems must allow pres- 
ervation of & access to data 

• Mutual assi ince regimes to 
allow exchai ge of evidence 

• Trans-border electronic access 
to open source information 
without authorisation 

• Development of standardised 
forensic techniques for retriev- 
ing and authenticating elec- 
tronic data in investigations 

• Design of systems to prevent 
and detect hi-tech crime 

The time to standardise procedures 
for the recovery of computer based evi- 
dence is now and the issue of the ACPO 
guide is perhaps the first step to ensur- 
ing that evidence will be admissible in 
whichever country it is needed, regard- 
less of the country in which the compu- 
ter is located. 

Interpol has already decided to in- 
clude the guide in its computer crime 
manual to be circulated to all member 
countries. 

The guide is available to any law en- 
forcement agency and may be obtained 
from Detective Sergeant Nigel Jones, 
Computer Crime Unit, Police Headquar- 
ters, Sutton Road, Maidstone, Kent, Eng- 
land ME 15 9BZ. Telephone +44 
(0)1622 654925. 

E-mail nigel@ccscrops.demon.co.uk. 

The ACPO computer crime group is 
also interested in hearing from anyone 
who has developed good practice in this 
area in their own country in order that 
this may be shared on a mutual basis. 

Kind thanks to DS Nigel Jones, the 
author of this article. DS Jones, from 
Kent Police, is currently an ACPO 
representative and has just been ap- 
pointed as Secretary of the group. 



Q What does the term 'Hex 
Dump' mean? 

A First of all the word 'hex' is 
short for hexadecimal. Hexadecimal no- 
tation is the representation of numbers 
in the positional number system with 
base 16. The sixteen hexadecimal digits 
are usually represented by 0-9, A-F. 
Decimal notation works to a based of 
10 and binary notation to a base of 2. 
Any hex number can be converted into 
its decimal or binary equivalent, and vice 
versa. 

Computer code is written in pro- 
gramming languages that conform to 
hexadecimal notation. This is because at 
the most basic level computers work by 
setting a series of switches to either on 
or off (1 or 0). Information is encoded 
by noting the settings of groups of 8 
switches. If information stored on a 
computer is examined in the coded form 
it will appear in hexadecimal notation. 

Normally this is not the way in which 
it will appear to the user because the 
computer 'converts' the hexadecimal to 
more readily readable text output form. 
This is sufficient for most purposes but 
in forensic analysis it is sometimes nec- 
essary to present the information in it 
raw, or hexadecimal, form. To do this 
one uses a program called HXD.EXE 
which copies the hexadecimal code con- 
tained in defined clusters to a second 
file. This can then be printed and is used 
to show the contents of a file in their 
entirety. 

On task that will often be performed 
by a hex dump is to show the contents 
of slack space. However, hex dumps are 
now less frequently used. This is because 
specialist forensic software is increas- 
ingly available to automatically perform 
the function previously performed by a 
hex dump. 

Q Whilst investigating a number 
of 3.5" floppy disks I was unable to read 
them using a standard 1 .4Mb floppy disk 
drive in a PC. Why? 

A The most likely reason is that 
the disks were not of the same format 
as that supported on the machine on 
which they were being read. This hap- 
pens most frequently when a DOS based 



computer attempts to read Amiga or 
Macintosh disks. 

Another possible reason is that you 
have encountered some floppy disks 
with a capacity exceeding that of the 
hardware with which you are trying to 
read them. Some program floppy disks 
have a formatted capacity of 2.8Mb and 
may not be readable on a 1 .44Mb floppy 
disk drive. There are also floppy disks 
with a formatted capacity of 1 20Mb 
which need a special floppy disk drive 
in order to be accessed. 

These larger capacity floppy disk 
drives are backward compatible, so if 
you can get one you should be able to 
use it to examine all capacities. If this 
is not possible then you may be able to 
read the disks by using the machine upon 
which they were created. But be very 
careful if doing this. Always boot the 
machine with a forensically sound boot 
disk and you may consider disconnect- 
ing the hard drive to ensure that eviden- 
tial integrity is not compromised. 

Two final points to bear in mind. Al- 
ways set the write protect tag on floppy 
disks before any read attempt is made. 
And consider obtaining specialist foren- 
sic floppy disk copying software. This 
will read a wider range of formats with- 
out risk to the integrity of the informa- 
tion on the media. 

Q I've heard the term 'logic 
bomb' used when referring to computer 
viruses. Is a 'logic bomb' a virus? 

A The term logic bomb is used to 
describe a type of computer virus. It is 
defined as any program which initiates 
an action when triggered by a condition, 
such as the date, or the absence of an 
event performed on a computer. 

For example, a logic bomb may be 
programmed to destroy valuable data 
should the programmer's name ever be 
deleted from a companies employee da- 
tabase. However, the action performed 
by a logic bomb does not have to be 
malicious in intent. It may just be that 
program's operation is altered by a 
change in the environment in which it 
operates. 

E-mail questions, comments 

or suggestions, to the Journal at 

ijfc@pavilion.co.uk 



July 1998 



International Journal of Forensic Computing 



Notice Board 



We will be pleased to receive contributions to this 
page. Please mark all correspondence 'Notice 
Board'. We reserve the right to edit if required. 



Events 



21st International Conference 
on Research and Development in 
Information Retrieval 

24-28 August 1998 
Melbourne, Australia 

Contact: Keith van Rijsbergen 
Email: keith@dcs.gla.ac.uk 

IFIP World Congress 

31 August-4 September 1998 
Vienna and Budapest 

URL: http://www.ocg. or. at/ 
ifip98.html 

Securing the future 

The annual conference of the Inter- 
national Institute of Security. 

26 and 27 September 1998 
Basingstoke, Hampshire, UK 

Contact Paula Tarr 

Tel: +44 (0)1803 663275 

Fax +44 (0) 1803 663251 

California Association of 
Criminalists Fall 1998 Seminar 

14-17 October 1998 
San Diego, California 

Contact: Jennifer Shen or Tanya 
Dulaney of San Diego Police Depart- 
ment 

Tel: +1 619 531 2577 

Forensic Science Society Au- 
tumn Meeting and AGM Inter- 
pretation of Evidence 

30 October- 1 November 1998 
Sheffield, UK 

Contact: Anne Holdsworth, FSS 

Tel: +44(0)1423 506068 

Email: Anne@fscisoc.demon.co.uk 

International Journal of Forensic Computing 



Training 

DIBS®Training in Forensic 
Computing 

Over the past four years Computer 
Forensics Ltd, the originator and pioneer 
of the science of computer forensics 
and image copying technology, has pro- 
gressively developed and run unique and 
comprehensive training courses in com- 
puter forensic procedures and tech- 
niques. Hundreds of candidates have 
participated in the courses. 

Many are now skilled computer fo- 
rensic practitioners in both government 
and commercial sectors; some now un- 
dertake training in forensic computing. 

The success of the training methods 
used, in conjunction with the evolving 
nature of computer forensic science, has 
led to the expansion of the range of 
courses on offer: 

Fundamental Computer Forensics, 
Applied Computer Forensics, Advanced 
Computer Forensics, Legal and Proce- 
dural Computer Forensics, Specialist 
Courses. 

Contact: Computer Forensics Ltd 

Tel: +44(0)1903 823181 

Fax: +44(0)1903 233545 



University Diploma of Crimi- 
nal Investigation 

Teaching carried out by the Ameri- 
can University of Washington DC, the 

Paris International Centre of Foren- 
sic Sciences, and the University of Bor- 
deaux. 

Location: Bordeaux and Washing- 
ton DC. 

Contact: Prof. Doutremepuich, 
Universite V. Segelen - Bordeaux 2, 

146 rue Leo Saignat, F-33076 Bordeaux, 

France. 

Tel: (33) 5 57 57 12 68 
Fax: (33) 5 56 98 76 70 

National Training Centre for 
Scientific Support to Crime In- 
vestigation 

Specialist training courses tailored 
to customer needs, delivered in the UK 
and overseas. 

Accredited by ACPO, National Po- 
lice Training, Durham University and the 
Open University (UK) 

Contact: NTCSSC1, Co Durham, UK 
Tel: +44(0)1388 762191 
Fax: +44(0)1325 742509 



Subscription Form 

Send completed form to International Journal of Forensic Comput- 
ing, Colonnade House, High Street, Worthing, West Sussex BN11 1NZ, 
UK. 

Please enter my subscription to International Journal of Forensic 
Computing at the rate of: 

□ UK £186.00 □ Europe £216 □ International £236.00 



Name 

Position.... 
Company.. 
Address.... 



| | Cheque attached (make payable to 
International Journal of Forensic Computing) 

I I Please invoice my company quoting pur- 
chase order no 

□ Please debit my credit card: VISA/ 
Mastercard/AMEX 



Cardholder's name.. 

Card No 

Expiry date 

Signature 

Date 



July 1998 



23 



of 

FORENSIC COMPUTING, 



